I working on a project that includes a singe page application anda backend service. The only way to access this application is via a One Login account. My FE integrate with One Login via Oauth2 + Open ID Connect to do authentication.
After user login, FE has Access Token and ID Token, so we can get some user information like: email, name,... This is fine for authentication part.
But for the authorization part, FE need to pass a token which include not only the user info but also the authorization information like user's role. Neither Access Token or ID Token have this information.
My current solution is: BE will provide a API for the FE to exchange ID Token (which it got from One Login) to an internal JWT token which have enough authorization information, then FE will user internal token to communicate with BE. I wonder if there is any security risk with this approach, or any better approach out there?
You are running into the foreign token problem, where you find that third party tokens are not useful for your own authorization. The solution is to be in control of issuing your own access tokens, with your own claims, as you are doing.
The preferred longer term option is for your apps to redirect to an Authorization Server (AS) and for it to manage the connection to OneLogin or other identity providers for you. It will then issue tokens whose claims you can control.
These links may give you a flavour of how a good AS behaves, while keeping the code in your apps simple: