web api – Two step provisioning using OIDC and AD?

A client requested that we implement the following authentication/authorisation flow:

  1. User authenticates using OIDC via a IAM (Salesforce in this case).
  2. If user is an external user, then a flag is appended to the JWT payload which indicates we need to query Active Directory for the users’ group associations/permissions.
  3. Otherwise the user is not given any permissions to our system, and a local admin is notified and needs to assign permissions manually.

The reason for this is that both internal users (employees) and customers can be authenticated via the IAM, but authorisation for internal users is managed strictly via AD.

Is this a common/good practice?

I’ve been unable to find information about this flow, and as we might need to persuade the client from going forward with this implementation I’m trying to demonstrate that this is not a common, or even discouraged approach to doing auth.