I’m working towards implementing authorization for my first party react web application that communicates with a .NET core web api.
For use in the client, I’ve created a ‘groups’ claim as part of the ID token to indicate what group (role) a given user is a part of. From the API’s perspective and for authorization purposes, I’ll need an additional claim added to the access token to authorize API requests, likely the same data contained in the ‘groups’ claim that was added to the ID token.
My question is what’s the preferred architecture or method for adding a claim to both the ID token for use within the client, as well as within the access token for API authorization.
Is it ok to create two ‘groups’ claims, one for the ID token and one for the access token? And if not, how should this handled?