Trying to understand where to use Access Token vs ID token.
Auth0 is setup as the SP for on Application. We have configured a SAML connection to our IDp (which is connected to our Internal Active Directory).
The internal users will have certain defined roles in the application which we are passing as attributes to Auth0 via the saml connection. (Depending on the Active Directory Groups they are a member of)
We are adding the roles via rules in Auth0 to during authentication.
Should these roles be part of the Access Token, ID Token, both ?
ID Tokens should never be used to obtain direct access to APIs or to make authorization decisions. Therefore I would recommend putting the role information into your Access Tokens.
Any actual decisions made with respect to a user’s roles should be done from the information in the Access Token. Think of an ID token as a cache for the user’s profile, useful for populating a UI with their name etc, but not to be used for any authorization purposes.