I have a set of go services which I want to make yes/no access decisions for by getting the UMA2 RPT for a particular service (audience). Authentication is via a public client and the resulting access-token is used for the UMA2 granted RPT.
This all works great as long as I list all client roles the user has access to in the access token, but without that my call for an UMA2 RPT is “access denied”. My expectation was that the session would be enough to discover what resources/scopes the user has access to but that doesn’t seem to be the case: in fact if I get an access token for a user (with roles) and then deprovision some of those roles from the user, the access token will still yield an UMA2 RPT described by the access token.
This is a problem for us because the roles are pretty granular and we are at a point where it will get too large to fit into the header field of an HTTP request (8k+). Apart from that limitation it just seems unnecessarily heavy to send on every call.
In short, is it possible to have the access token only be proof of authentication and let it provide access to the authorizations for a given service/audience with the UMA token call?
Thanks in advance!