Hello everyone !
I have a question about how to limit the information included in an access token, and I’d really appreciate your insights. Here’s my use case :
For each user, I retrieve a list of “location/role” pairs from an external IDP. This lets me know which locations and roles a user can access in the application. When logging in, the user selects one specific “location/role” pair to set their application context.
What I’d like to do is generate an access token that contains only the selected “location/role” pair, not the full list. The challenge is that there are many locations, and a user’s role can be different for each one. For example, a user might have :
“location_role_list”: [
{ “location”: “great beach”, “role”: “waiter” },
{ “location”: “beautiful hotel”, “role”: “admin” }
].
On the first page of the app, the user picks, say, { “location”: “great beach”, “role”: “waiter” }.
Is it possible to generate an access token that includes only this selected pair ? For example, with a claim like “selected_location_role”: { “location”: “great beach”, “role”: “waiter” } ?
If so, what would be the best way to implement this ? Are there any best practices or potential pitfalls I should be aware of ?
For context, I already use the token-exchange mechanism to restrict token data using roles and groups, but not to restrict to a single value from a list.
Would using the Authorization Service (by managing resource servers) be an acceptable approach ? Or maybe dynamic scopes ? Or something else ?
In a simpler case, if I want to manage only the “location” part (e.g., attribute locations: great hotel, beach), can the app request a token that contains only location: great hotel? How ?
Thank you so much for your help and advice !