Hello @andrea.chiarelli, thank you for the article! You mentioned there are 3 cons to why the Id Token should not be sent to an API Server:
- Lack of support for sender constraint
- Ignoring the intended recipient stated by the audience claim
- Lack of granted scopes
My context is:
- My software has custom authorization implemented, so I am not using scopes for authorization; Auth0 primarily functions as an Identity Provider.
- I am creating a SPA & API server (i.e. first-party applications), hidden behind a Reverse Proxy. So, on Auth0, I can create a Single Page Web Application, whereby the SPA uses this application’s details for OIDC, and the API server uses this application’s details for validation (e.g. applicaton’s Id for audience claim).
Other than the lack of support for sender constraint (which I think is mitigated with a short lifetime of the Id Token), are there any other security concerns?