This is a bit of an open ended question, but I was wondering how people have architected their solution to deal platforms dealing with many applications talking to many resource servers using OIDC? I have read this article (https://www.pingidentity.com/en/company/blog/posts/2019/oauth2-access-token-multiple-resources-usage-strategies.html) which suggests the primary options are:
- Single access token / single audience to be used across all resources
- Single Access Token with Multiple Audiences (not sure this is supported in Okta)
- Multiple Access Tokens (one custom auth server per service - one token per service)
Option 1 would appear to be the obvious choice, but I can see a situation where Claims/Scopes and other auth server config will become hard to manager when handling many resource server requirements.
I’d appreciate any input into this discussion.