Setting authority for client configuration?

[BaoTon]

Is there anyway I can set an authority property for BackendAuthorizationClient? developer.bentley.com uses a different issuer and using APIs from that authority requires URL set to "https://ims.bentley.com" rather than "https://imsoidc.bentley.com".

---

⚠ Do not edit this section. It is required for imodeljs.github.io ➟ GitHub issue linking

• LINK: BackendAuthorizationClientConfiguration---backend-itwin-client-link-to-docs
• TAG: imodeljs-docs-question
• SOURCE: https://www.itwinjs.org/reference/backend-itwin-client/authentication/backendauthorizationclientconfiguration/?term=backendautho

[calebmshafer]

@BaoTon the most direct way to switch the issuer is by creating a sub-class of BackendAuthorizationClient and override the getUrl() method and provide the new issuer url.

[BaoTon]

Okay, that's what I was planning on doing. Also, not sure if intended but older OIDC clients can't seem to call the newer APIs such as https://developer.bentley.com/api-groups/administration/apis/projects/operations/get-project-validation-tests - even though they share the same scope and I swapped out to the newer issuer.

New applications I created from developer.bentley.com have something unique about them versus the old registration-dashboard.

[calebmshafer]

Yes, this is due to the newer APIs available at developer.bentley.com using "https://ims.bentley.com" as their issuer when validating the incoming token. Whereas the currently used service APIs, from various urls, are using "https://imsoidc.bentley.com" as you highlighted above.

This will require an application to use the appropriate issuer for their use-case or the easier solution is to get a token for both if you're consuming the new APIs at all. Since both tokens are issued from the same authority, the session will be the same therefore not requiring an interactive sign-in for the second token request, rather just a silent sign-in workflow to get the new one.

You're correct in that this isn't currently documented anywhere, or easily usable within our clients. I will try and take a pass at it in the next couple days to see if I can make this easier with the current clients and/or better docs.

[deanmarcussen]

For info just ran across this again this morning with the CRA getting started scripts, setting the bentley authority to https://ims.bentley.com resolved the issue.

  const authConfig: BrowserAuthorizationClientConfiguration = {
    authority: "https://ims.bentley.com",
    scope: process.env.IMJS_AUTH_CLIENT_SCOPES ?? "",
    clientId: process.env.IMJS_AUTH_CLIENT_CLIENT_ID ?? "",
    redirectUri: process.env.IMJS_AUTH_CLIENT_REDIRECT_URI ?? "",
    postSignoutRedirectUri: process.env.IMJS_AUTH_CLIENT_LOGOUT_URI,
    responseType: "code",
    noSilentSignInOnAppStartup: true
  };

[calebmshafer]

Yes, an update has been made to support the https://ims.bentley.com issuer for all APIs with a new itwinjs scope. @aruniverse has a good explanation here. He is referencing Desktop specifically but the same applies to Web as well.