we attached two different OIDC providers to our Customer Portal (Power Apps). The customer can chose one of them for login (basically two buttons). Both providers map to the same user (2 external identities). One provider has a higher level of authentication (SwissId in our case).
If the user chooses this provider, he should have more rights during the http session.
It is important, that the additional right only exist in the session. If the user chooses to login with the lower rights provider, he should always have lower rights in his session. That means in particular, that if the user is logged in on two different browsers with different oidc providers on two different computers at the same, each browser session should have different rights.
Our current approach overwrites an attribute in the contact table on every login with an oidc provider unique property in the id token. Depending on the state of the property in the contact table, the user has different rights. We implemented frontend logic that stores the attribute immediately after login in the frontend and then perform checks against the contact table. If we detect a change in the attribute, we trigger a logout from frontend. Obviously this approach is not safe.
We are looking for solutions like:
Is there a session based rights management in Power Apps?
If not : Can we invalidate all existing sessions after a user logs in?
if not: Any solution that works out of the box?
if not: Is there a workaround, that is not nice but at leas safe?