I am building an AngularJS application that is supposed to retrieve data from an API. The API is doing an introspection against the OIDC provider of my choice to verify the token sent alongside with the API call.
The client side is not supposed to be callable before signing in on the OIDC login page. To do so, it is protected by an apache http server using mod_auth_openidc. This mod makes sure, that the client is being redirected to the OIDC provider login if no token is present. After successful login, the AngularJS application is loaded.
My question is how to retrieve the token within the AngularJS client so that I can forward it to the API?
You can have mod_auth_openidc make the access token available to the AngularJS app through a header (see: https://github.com/zmartzone/mod_auth_openidc/issues/76) or on an endpoint (see: https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#session-info).