I am using the OIDC flow with
id_token for authentication. This is an server-side MVC app using Authorization Code flow.
Once a user is logged in, I want to propagate authentication context to microservices in the same application. Those services are accessed through HTTP endpoints, back-end to back-end.
What’s the best practice to solve this? The two alternatives I can think of are:
id_tokenitself in HTTP headers, and the recipient validates its signature and expiration.
- Pros: convenient.
- Cons: everything I’ve found on the topic (mostly for other products) says not to do this.
access_tokenin HTTP headers, and the recipient uses the access token to call the Okta
- Pros: more consistent with standards.
- Cons: not clear why this is better than passing the
id_tokenitself. It feels awkward because breaking up my application into multiple microservices is an implementation decision internal to my app, not creating a concept of a “resource server”. And there is no concept of the user authorizing component A to call component B on their behalf; component B just needs to know which user is logged into component A.
access_tokenin HTTP headers. Recipient validates the token and gets claims off of it directly.
- Pros: as convenient as id_token
- Cons: not standards-compliant – OIDC spec does not require access tokens to be JWT; access tokens can be opaque.