OAuth 2 access_token vs OpenId Connect id_token
Solution 1
Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)
The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.
Solution 2
Another angle to provide an answer:
id_token
- An id_token is a JWT - make note of that!
- It contains claims about the identity of the user/resource owner
- Having a valid id_token means that the user is authenticated
access_token
- An access_token is a bearer token
- A bearer token means that the bearer can access the resource without further identification
- An access_token can be a JWT (see Appendix point 1.) or opaque
If you want to read more: Types of tokens in oidc and oauth
Solution 3
access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.
id_token is a JWT and represents the logged in user. It is often used by your app.
is it possible to use both the access_token and the id_token for accessing the protected resources ?
Not completely, first, you need to use id_token to log in,
second, you will get a accessToken,
last, use accessToken to access data.
ajaybc
Updated on March 12, 2020Comments
-
ajaybc about 4 years
Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.
Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.
My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?
-
Learning-Overthinker-Confused over 6 yearsI am bit confused with this open id connect and oauth2 implementation.I am having a front end(html,angularjs) and back end webservice.Now i want to implement token based mechanism during login so with login user will send clientid,emailid,password and in the backend i will validate client id other credentials after that i will issue a token to user and with the help of that token user will maintain that user session.So where does openid connect comes and how it will be usefull to me.Can you please provide some insight to me as i am really confused here please
-
Zólyomi István over 6 yearsAs far as I understand, you don't need authorization, only authentication. If so then you should simply use OpenId or an SSO solution, but you don't need OAuth or OpenId Connect at all.
-
Ashokan Sivapragasam about 5 yearsFor SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA cannot talk to OAuth Token Endpoint because of CORS Policy.
-
Ashokan Sivapragasam about 5 years@ZólyomiIstván, for SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA cannot talk to OAuth Token Endpoint because of CORS Policy.