I am designing an ecosystem of web applications that uses an Open ID Connect (OIDC) authorization server. The users authenticate to the authorization server using the Authorization Code Flow with Proof Key for Code Exchange (PKCE). This authorization server (in this context Keycloak) should provide the following services:
- Authentication: The authorization server provides a Single-Sign On (SSO) for all applications
- Identity provider: The authorization server provides basic OIDC user profile data (see Standard Claims in
UserInfo. The authorization server is configured to require some profile data during registration. Authorization services: out of scope here
The authorization server is configured to require consent from users in order to access profile data. OIDC servers can provide two type of token: an ID token and an access token.
The authorization flow looks like this (adapted from Okta documentation):
I am confused on how to manage (access+update) profile data from the resource server and how to use which token for what. Should the resource server keep an access token + a refresh token to query UserInfo endpoint in the long term? Is there a better alternative for the resource server to keep track of profile data updates?