Should I send identity token to my api resources?

Question

I'm working with IdentityServer4 with the goal of protecting an resource api and exposing an identity server inside my organization.

So actually I have this elements:

• Authorization Server
• API Resources
• Client (SPA application)

I want to protect my API using scope and single actions accessed by user's roles. So for example I have this apis:

- API 1 (Scope API 1)
    - Action1.1 <-- Only admin
    - Action1.2 <-- Only manager
    - Action1.3 <-- Only manager

- API 2 (Scope API 2)
    - Action2.1 <-- Admin and manager
    - Action2.2 <-- Only users
    - Action2.3 <-- Only users

I know that OAuth2 protocol is for authorization (with its access_token) and OpenID Connect enriches OAuth2 protocol supporting authentication (with its identity_token).

I would know what is the best practices to achieve my goal. I've found two options:

1. Send to API Resource identity_token and authorization_token (so that I can view user's role by identity_token and is can access to the scope).
2. Adding role to access_token.

What is the best practice? Any advice is welcome

Thanks

Answer 1

In my opinion , you should not send the ID token to your resource . The ID Token is meant for the client application only. The client parses the token's contents and uses the user's information . The Access Token's purpose is to inform the API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions according to scope claim in token .

Another point is per the OpenID Connect specification, the audience of the ID Token (indicated by the aud claim) must be the client ID of the application making the authentication request. If this is not the case, you should not trust the token. Conversely, an API expects a token with the aud value to equal the API's unique identifier. So in my opinion , include the permission claim in access token would be a better opinion .