How do I enforce authoization from the OIDC flow without a full access token JWT?

I have an OIDC site that uses an OAuth proxy to authenticate a user and store their JWT token in a redis store. The proxy also automagically takes the session id in the cookie, looks up the token and injects it as an Authorization header before forwarding. This all works great but now we would like to enforce Authorization. From what I read here the token I am receiving is an ID token (thanks to me using OIDC) with claims based on the scopes I provided. However, the documentation says this should not be used to handle things like RLS.

So if I am a service and I get this access token, what are the next steps? Should I create another Envoy proxy that sits in between and calls the /userinfo or some other endpoint to get the updated token? Should I just add the required claims directly to the ID Token?


1 Like

Hey there @jgleason!

I’m not sure I understand your question exactly, but hopefully this helps to get things moving in the right direction.

Typically, the Access Token is minted by the authorization server. Roles/permissions are defined for the user and added as claims in the token. The token is verified by the API in question and authorization is granted according to roles, permissions, etc. in the token.

The /userinfo endpoint just contains the user’s profile information (same as ID Token) and can only be accessed by passing the user’s Access Token as an Authorization Header.

I’m not sure this answers your question directly, but I also definitely recommend taking a look at the following article which does a good job describing common architectural scenarios and what those look like:

Let us know if you have follow up questions!

1 Like

The problem is I have a ID Token from OIDC but I need an access token to get an up to date list of claims given an audience. I could attach them to the OIDC ID_Token but then they will get out of sync if the ID token has a long exipry. I assume I can do this somehow with the management API.

This is also incorrect given the documentation above. The ID Token is the token used by OIDC as well. This seems to be the access token equivalent in that flow. So I need to upgrade that to an access token.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.