Force new authentication when requesting additional scope

[MaasOne]

[Question]

Hi, I'm using IdentityServer4 with the following setup:

I have two JavaScript apps and one token server. The server is configured with a single client called "js" and two api resources/scopes called "portal" and "account". The client apps are using oidc-client for managing the auth. Mainly the silent sign in method is used as far as possible. For example here the token server is reachable under "auth.example.com" and the two app have "portal.example.com" and "account.example.com".

Scope "portal"
Claims: sub portal

Scope "account"
Claims: sub idp account

Client "js"
Implicit, JWT
URIs: portal.example.com, account.example.com
Scopes: openid portal account

Token Server (Authority)
URI: auth.example.com

Now, when I call "portal.example.com" I get redirected to "auth.example.com", logging in and get redirected back to "portal.example.com". So far so good. Everything works. When I now go to "account.example.com" oidc-client calls the /connect/authorize endpoint (silent) and directly get the token back, because I'm still logged in at "auth.example.com" from the first step (portal). Here is my problem. I would like to force the user to login/authorize again, because a new scope ("account") is requested that was never requested befor in this login session. I guess the problem is that in reference to the session cookies under "auth.example.com" there is no reference to which scopes are already authorized and which not. But maybe you have an idea?

Thanks in advance!

Maas

[brockallen]

Any update on this?

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.