OIDC for static resources
OIDC for static resources
Use case
SPA consummes Rest API in the same business domain.
Customer has been authenticated in SPA using authorization code flow. SPA sends AJAX queries with a bearer token to consume REST API.
REST API is protected by a bearer only client.
Developer wants to display or allow to download a protected image provided by a server of resources in the business domain.
<a href="http://dns/static/test.png" download="test.png" target="_blank">test</a>
<img src="http://dns/static/test.png">
Unfortunately, GET query to access to test.png is not providing bearer token and it’s not possible to display this image.
Different stategies are described in these articles:
Solution
If static resources and SPA are in the same business domain.
The easiest solution is to enable direct authentication in the relying party of API changing bearer only client to confidencial client with the same audience.
The relying party of API will detect the cookie for authentication and apply SSO process.
Consequently, this image will be displayed correctly and the download link will work fine.