how is the access token handled in the oidc-filter?

[d95776]

I like the oidc-filter code and have a question : in response to auth code with client id/secret request, the token endpoint of openid-connect authorization server returns both access token and id_token. I see the oidc-filter code sets the id_token (also called JWT token in your description) in cookie and sets the token to the value of the authorization header for subsequence filter to verify it. I do not find any code to process the access token returned by the token endpoint of openid-connect authorization server. If it is processed in the code, could you please tell me where it is processed? if it is not processed, could you please tell me why the filter does not need to process it, such as verify or set the access token to the cookie?

[dgn]

I think it works with both. I haven't looked at it in a while, but I believe I only used the id_token because it is not as short-lived. You should be able to use them interchangeably

[d95776]

in general, id_token is used for user and access token is used for client app. I am not sure in the process flow implemented by the code where is the client app. is the browser app or the envoy proxy filter? looks like it is not the browser app since it does not have the client id/secret. it may also not be the envoy proxy filter since the envoy proxy filter is protecting the browser app to access the apis. It is hard to understand to use the filter to protect itself too.