I have an API that needs to authorize access based on company_id. One way to do it is to maintain a mapping of the company ID and all the client IDs (M2M apps) it generates. I am wondering whether it’d be better/secure to just embed the company ID in the access token instead. Here is the workflow I plan to implement -
- when a company creates the M2M app (via our portal), we put the company_id in the app metadata;
- we then use Action to put App Metadata in the Access token as a custom claim;
- Our API upon receiving the access token, decodes jwt and extract company_id and use it for authorization.
Will this work? Is that any security issue with this approach?