Regarding Implicit Grant Flow, seeking to understand, if the SPA application (Partner System) needs to call the API hosted by the parent organisation then, can both the access token and ID token be sent while accessing this API (given generally the ID token is never sent to the API). Also, seeking to understand if this approach is secure and advisable?
The thought is for the Auth0 ID to be returned by the vendor(Partner) to the Parent Organisation, while making the API request. Further, can the API hosted by the parent organisation, make a call back to Auth0 to retrieve the user profile to validate that the Auth0 ID is for a valid client session and audience, and that the ID or access token hasn’t expired.
Keen to know your thoughts.