A question on intended use of OIDC id_token.
Imagine I have a user, browser, a SaaS, a middleware, a backend ERP system.
Note: SaaS is acting purely as a front-end serving application. Actual data is stored in backend ERP system.
user (browser) --(create address)–> SaaS --(send address)–> middleware --(send address)–> ERP
User logged in to this SaaS, received an id_token from IDP.
SaaS has some business logic for its specialised area
SaaS then send this address to middleware for storage in ERP
- auth between browser and SaaS is with id_token
- what’s recommended auth for SaaS and middleware (is it appropriate to use id_token) or a separate client credential flow to secure the API without having to worry about id_token
- If we use client credential flow between SaaS and middleware, is there any issues (security, dev best practice) passing id_token to the middleware?