feat(api): create oidc token for given audience

api/lib/application/authentication/oidc/index.js

@@ -90,6 +90,7 @@ const register = async function (server) {
                 code: Joi.string().required(),
                 redirect_uri: Joi.string().required(),
                 state: Joi.string().required(),
+                audience: Joi.string().valid('app', 'admin').optional(),
               },
             },
           }),

api/lib/application/authentication/oidc/oidc-controller.js

@@ -103,14 +103,15 @@ const authenticateUser = async function (
     authenticationServiceRegistry,
   },
 ) {
-  const { code, identityProvider, redirectUri, state: stateReceived } = request.deserializedPayload;
+  const { code, identityProvider, redirectUri, state: stateReceived, audience } = request.deserializedPayload;
 
   const stateSent = request.yar.get('state', true);
   // eslint-disable-next-line no-unused-vars
   const nonce = request.yar.get('nonce', true);
 
   const oidcAuthenticationService = dependencies.authenticationServiceRegistry.getOidcProviderServiceByCode({
     identityProviderCode: identityProvider,
+    audience,
   });
 
   const result = await usecases.authenticateOidcUser({

api/tests/unit/application/authentication/oidc/oidc-controller_test.js

@@ -269,6 +269,49 @@ describe('Unit | Application | Controller | Authentication | OIDC', function ()
       });
     });
 
+    context('when audience is "admin"', function () {
+      it('uses only identity providers enabled in Pix Admin', async function () {
+        // given
+        request = {
+          ...request,
+          deserializedPayload: {
+            ...request.deserializedPayload,
+            audience: 'admin',
+          },
+        };
+        const oidcAuthenticationService = {};
+        const authenticationServiceRegistryStub = {
+          getOidcProviderServiceByCode: sinon.stub(),
+        };
+
+        authenticationServiceRegistryStub.getOidcProviderServiceByCode
+          .withArgs({ identityProviderCode: identityProvider })
+          .returns(oidcAuthenticationService);
+
+        const dependencies = {
+          authenticationServiceRegistry: authenticationServiceRegistryStub,
+        };
+
+        usecases.authenticateOidcUser.resolves({
+          pixAccessToken,
+          logoutUrlUUID: '0208f50b-f612-46aa-89a0-7cdb5fb0d312',
+          isAuthenticationComplete: true,
+        });
+
+        request.yar.get.onCall(0).returns(state);
+        request.yar.get.onCall(1).returns(nonce);
+
+        // when
+        await oidcController.authenticateUser(request, hFake, dependencies);
+
+        // then
+        expect(authenticationServiceRegistryStub.getOidcProviderServiceByCode).to.have.been.calledWithExactly({
+          identityProviderCode: identityProvider,
+          audience: 'admin',
+        });
+      });
+    });
+
     it('should return PIX access token and logout url uuid when authentication is complete', async function () {
       // given
       const oidcAuthenticationService = {};