I've been digging deep into OAuth2 / OpenID Connect(OIDC) and in many ways I feel smarter, but in many ways, I'm worried that a simple mistake will leave me vulnerable. I'm building super standard business apps. So time to ask for directions:
openid scopeI'm getting the id_token, access_token, and refresh_token
I have a million questions, but lets start with the basics:
Is it ok to take the id_token and just send it to the react code in the browser and have it stored in Session Storage? Otherwise how exactly is the UI suppose to know information about the person logged in?
If I have the id_token, do I still care about the /userinfo endpoint? My guess is no.
Every time the UI makes a call to the api it passes the auth code? Does the spring code in turn make a call to the /oauth/token every time? Should (or Does) the Spring Code cache the relationship between the auth code and returned tokens?
You ask just for the openid scope, so why do you need the access and the refresh token? And since you want the ID token to be used by the React application, I would suggest you to use the Implicit flow - to get the ID token directly to your frontend.
/userinfo endpoint doesn't provide anything else you want, you can ignore it./userinfo endpoint to get info about the user. Or you can use an ID token if you want to treat the frontend and the backend as one OAuth2 client (the same ID token audience) and the user identity is all you need at the backend.