I am searching for the right way to secure my rest api with open id connect. The rest api runs on a different web server. The angular single page application based uses this library for getting the access token. The access token is a 'reference token' not a 'jwt'. Is there any middleware which I can use to access the user info endpoint to get the needed data from my identity provider or do I have to write my own one?
Identity Provider: Ping Federate
You should introspect the token first, to get token claims.
Then lookup user info afterwards if needed, to get user info claims.
Out of interest there's an extensible design pattern I sometimes use here.