Hi @Oneal, James
Yes, it is possible to redirect users from the same domain to different identity providers in OAuth 2.0 authorization code flow based on some criteria.
Here is one way to achieve this:
- Set up two authorization servers for the two different identity providers. Each will have their own client ID and client secret for your application.
- In your authorization endpoint on your application, check the user's email or other criteria to determine which identity provider they should use.
- Based on the criteria, redirect the user to the authorization URL of the appropriate identity provider. For example:
if (user.email.endsWith('@domain1.com')) {
// redirect to authorization endpoint for IP1
} else {
// redirect to authorization endpoint for IP2
}
- When you get the authorization code back, redeem it with the appropriate identity provider's token endpoint to get the access token.
- Validate the ID token from each identity provider to get user details. Maintain a mapping of email/userID to the identity provider.
- For future requests, lookup the user's email in the mapping to determine which identity provider to use for authentication/authorization.
The key is determining the correct identity provider to use for each user on the first login based on some criteria, and maintaining a mapping for future logins. The authorization code flow remains the same otherwise.