We have multiple apps integrated with ID cloud using OIDC.
Even when a user is authenticated and has a valid FR session, the access to apps will depend on another database that has the user → app mapping.
If the external database does not have a user → app 1 mapping, user should not be issued a token even if the authentication was successful.
The external database has an API that we can use to check authorization.
How can we customize OIDC token issuance step to allow or deny access to the app based on the response of this API call?