Is passing claims about the user in an access token "abusing" OpenID Connect?
First, let me assure you that I have read a number of posts on the topic before asking this question, but I am still confused and would appreciate more insights.
So, here's the premise:
- There is a client application that authenticates the user via OpenID Connect;
- This application talks to an external API ("resource server") that needs to perform a fine-grained authorization based on the user identity;
- The external API receives an access token (JWT bearer) from the client application. The access token is issued by the authorization server in scope of an OpenID Connect flow;
- The access token has the audience claim set to the resource server's ID (and the resource server does validate the audience claim);
- The access token has a UPN / email claim describing the identity of the user.
Now here's where I get confused:
On one hand, I am using OIDC and not plain OAuth 2.0, so I should be in good standing regarding security vulnerabilities (of course provided I have measures in place for mitigating CSRF attacks and for rejecting any "forged" tokens).
On the other hand, though, I am passing information about the user in an access token which is believed to be a big no-no in the world of OIDC & OAuth.
Am I misunderstanding something? Is it possibly safe to have identity information in an access token provided the access token was obtained in scope of an OIDC flow?
Just in case, I realize that there is a notion of scopes, but they do not look like an appropriate tool for defining and managing fine-grained permissions.
