'Storing a user account or just validate an access token from an identity provider?
I have an existing application that uses a basic authentication/authorization system and would like to move to using SSO through OAuth/OIDC. With my current setup, there is a user accounts table that stores email/password info as well as other things. After reading up more on OAuth and OIDC it seems that when using some external identity provider, the requirement of storing a user account on an application backend isnt required.
So my question is; when using SSO through an IDP for an application with an API backend, should there still be account management on the API backend or is access token validation the only thing required? And if token validation is the answer, what are some scenarios where still storing a user account would be required?
Solution 1:[1]
you may still need to store some information in your backend, e.g., a user's subscription plan.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Alex Jiang |