I am currently building a REST API for a web app that I'd like to put behind some authentication to ensure that the user only sees what they are supposed to see (e.g. their organization). However, I don't want to deal with saving sensitive user data at all, so I want to use some already existing services, like GitHub, Google etc.'
As I am currently understanding it, this would be possible by implementing some kind of OIDC flow, that authorizes against these external authorization servers and the Quarkus backend would then just verify the signature of the returned JWT.
Now I am facing the problem, that for example GitHub uses opaque tokens, meaning that the returned value is, for the outside world, just a more-or-less random string that only means something to the GitHub backend.
How would I go about implementing a backend that only allows access to a service by logging in to another one and providing a signed token for my backend to verify.
I am not interested in any information about the user, except some kind of ID that allows me to link my internal representation of a user with this external authorization server.
Am I on the right track with OIDC, and are there some more "fitting" OIDC providers?
I have currently tried to register an app OAuth app with GitHub, but the returned tokens are opaque and there's no endpoint to retrieve information about the user that "granted" access. As I have not requested any scopes, because the app does not need to interact with GitHub itself.
