I am currently working on migrating our users from an internal DB to an OIDC service (considering Cognito/Auth0/etc.), and I am trying to implement RBAC.
Our backend is basically a bunch of microservices, and I am trying to understand how we can manage the ACL of our service without having each service implement its own solution on the one hand, and having a central service that they will all have to call (single point of failure).
What we're imagining the solution to look like, is having a JWT Access Token that is signed and holds all the user permissions as its claims, but it seems like we are missing something since I cannot seem to find an implementation that does it.
I did see that I can add these claims to the ID Token, but as I understand it, the ID token should not be passed as an Acces Token. Am I missing something? how is it usually done in microservices environments?
Edit: Seems like Auth0 supports our use case and Cognito doesn't... That still leaves the question whether it's a good idea to implement it the way we're planning