We have an HR related app where users fill their timesheets and etc. We are using oauth2/OIDC compliant IAM tool Keycloak for the purpose of authentication and authorization. Our HR back end app is a resource server. We are using authorization code flow which gives us access token against the token request executed after the authentication on Keycloak and upon callback(UI page of our HR UI app) executed by the HR UI to HR back end(resource server) which we place in the browser storage of our HR UI that sends that token in Authorization header to call protected resources from HR back end which makes our application oauth2 compliant, Now my question is how can we make the app OIDC compliant?I can send the openid scope in the initial authorize URL but what I am gonna do with the id_token as we are fetching the username from our database of our HR back end. Does parsing the ID token on front end and displaying name will make our app OIDC compliant or we will have to perform any further optimizations?
I think you need to look at the purpose of the Id-token.
The ID-token represents details about the user and more important how the user authenticated (password, 2FA...). The lifetime of the Id-token is often very short (like a few minutes).
Just like how the specification describes it:
The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims.
So, basically, you can do whatever you like with it, but the Spring OpenID client library will often handle it for you and extract the necessary data to create a local user session.
You don't need to do anything to be OIDC compliant, just use a standard openid connect library and follow the various best practices, and then you are set.