We are going to use id tokens to verify authentication and access tokens for authorization.
Interesting thing about the groups claim is that it is certainly part of an entity’s identification, but certainly part of an entity’s authorization (providing access via the group list).
To return the group list in both the id and access token would be cumbersome for some users that have perhaps hundreds of groups they are members of.
I haven’t found (via searching around) any definitive statement on best practices on this topic.
Can anyone give some guidance on this?
This depends on your application’s architecture and how it’s configured to check the user’s identity and permissions.
If your application calls your own API endpoints using the access token, then it’s best to have the groups claim inside the access token, so that the endpoints will check the user’s permissions prior to displaying the response.
If your application check the user’s permissions prior to creating the local session, then it’s best to have the groups claim inside the ID token so that the session is created successfully and user is granted proper permissions.
Thanks for the response.
Thing is … we are defining the architecture … so the question was about best practices of what others have, based on their experience, concluded is a better idea.
We have the option of calling our endpoints with either or both the id and access token, so both have the possibility of being available (via cookie) to each application prior to displaying the response.
I’m not sure I understand your final paragraph about ‘checking user’s permission prior to creating the local session’ … because the only way an application would be able to check permissions would be via an already created session … and then looking at the id token or access token in that created session to assess permissions.