How to determine disabled user with OAuth2/OpenID Connect offline access token?

Question

We have AD FS 2016 fronting our corporate Active Directory domain for public OAuth2/OpenID Connect authentication. We are developing a simple application that is using our AD FS as an OAuth2/OpenID Connect identity provider.

Users authenticate via OpenID Connect and then on first use we provision a local user. On all authentications we store the access token.

There is a background service that sends out emails and SMS notifications to registered users based upon their local profile (which is initialized with info from claims from the IP). Using the offline access token, I would like to confirm that the user is still valid (not disabled) according to the IP (our AD FS server). Both the application website and the background service are NOT running within our corporate LAN. All access will strictly be through AD FS/OAuth2/OpenID Connect.

Is there a standard way using OAuth2/OpenID Connect to verify with the IP that an authenticated user (represented in the access token) is still enabled/valid?

The practical application of this is that if an employee leaves the company and their Active Directory account is disabled, we shouldn't send them notifications.

Answer 1

It feels like this is something that could be exposed via the userinfo endpoint exposed by OpenID Connect. You may need to set up some custom attribute->claim mappings to work it work but it should be possible.