Open rhuanbarreto opened 8 months ago
@rhuanbarreto is this different from the need for #22047 that you had talked to me about? Because I remember that was also about not having user specific scopes requested
Also why not have a separate datasource depending on the scopes you need or having a single datasource that requests for all the scopes?
Yes. OBO flow reuses the token from SSO. PKCE issues a token regardless of SSO
@rhuanbarreto if you're just looking to reuse the token from SSO, wouldn't substituting the access token in the API call work for you? https://docs.appsmith.com/getting-started/setup/instance-configuration/authentication/json-web-tokens-jwt#access-token
I need to first call the MSFT auth endpoint to request a new token with the right scope sending the <<APPSMITH_USER_OAUTH2_ACCESS_TOKEN>>
and then the token I get in result must be passed to call the REST endpoint.
@rhuanbarreto so can you store the token you get in result in the appsmith store and send it in the next API?
Yes. Correct
@rhuanbarreto to confirm, this means that this flow is possible today, what you are suggesting is just a more convenient way of achieving it. Am I correct?
Today it's not possible. Appsmith backend must call the OIDC authorization endpoint again to exchange the token.
Is there an existing issue for this?
Summary
Appsmith SSO can retrieve a token and make it available to be used in REST API calls. But for Azure AD SSO (my case), the scopes requested by the login (openid, offline_access, profile) cannot be used to call other REST endpoints that require different scopes.
In order to use the SSO token to call those REST API with the user identity, you need to use the OBO flow.
My request is to support the OBO flow so the token can be exchanged to a token that has the right scope to call my REST APIs
Why should this be worked on?
Today Appsmith has this big weakness about authentication that doesn't allow you to reuse the auth token to call other services that relies on the same auth scheme. With the auth token provided you can only call the scopes that the token is requested for.
This is important for business customers.