How to allow access to sensitive data only from ressource server ? [OAuth OpenID]

Question

A client receive an valid access_token, I would like to know if i can do it with OAuth2/OpenID:

• I don't want "client" to access user sensitive information like "contract_ID" for example.
• Only my ressource server could access to this sensitive information to make some operations.

Many examples on internet show that /userinfo request is done by the "client" to access some user informations.
So how to allow access to /userinfo only from ressourceserver ?
The ressourceserver has an "access token" in input. How to use this access_token to access sensitive information without allow "client" to acces this information ?

I did two schema to explained:

• My fear, I don't want it
• I want it

Answer 1

Userinfo endpoint is a service provided by your Identity provider (IdP). It's a part of OAuth spec - http://openid.net/specs/openid-connect-core-1_0.html#UserInfo. It depends on IdP configuration, what is exposed in userinfo response.

So, don't expose contract_ID in userinfo endpoint, but create some API method getcontractid, which will be authenticated/authorized API method and it will retrieve contract ID from your DB.