I'm currently trying to build a very simple application for handling OpenID Connect using the library Openiddict. This library lets me construct the access_token and the id_token and lets me set which claims/attributes to include in which token. And this is the part that I cant quite wrap my head around.
Which type of claims/attributes are supposed to go in the access_token? and which goes in the id_token? I have tried to ask a few colleagues of mine, but end up getting different answers.
Lets for instance say that we have claims/attributes such as:
- firstName
- lastName
- age
- gender
- role (could be multiple, as in admin, or editor or some other "role" that grants a set of permissions within our application).
Into which token would I put those? and please explain to me the logic behind why one claim/attribute would belong to one of the tokens.
