We are implementing IdentityServer4 with MS.Identity for SSO, Authentication & Authorization using the Implicit Flow for our handful of SPAs and WebAPIs(we own all).
With Implicit Flow the Id_Token is where we place extra 'claims.' Spec here.
The access_token does not contain custom permission claims as per this.
The Implicit Flow Spec is here.
Question: What is the flow of granting and removing permissions?
Revocation of Id_token is not spec. It seems the utility of claims in tokens knowing the permissions no longer applies with my understanding of OpenID Conenct.
Am I missing an obvious built in spec'd solution or do we implement some kind of re-issuance of Id_Token when when permissions have changed?
Thanks..
Tokens don't contain permissions. They contain identity data about the client & user.
https://leastprivilege.com/2016/12/16/identity-vs-permissions/