OAuth 2 access_token vs OpenId Connect id_token

api oauth-2.0 openid
25,045

Solution 1

Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)

The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.

Solution 2

Another angle to provide an answer:

id_token

  • An id_token is a JWT - make note of that!
  • It contains claims about the identity of the user/resource owner
  • Having a valid id_token means that the user is authenticated

access_token

  • An access_token is a bearer token
  • A bearer token means that the bearer can access the resource without further identification
  • An access_token can be a JWT (see Appendix point 1.) or opaque

If you want to read more: Types of tokens in oidc and oauth

Solution 3

access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.

id_token is a JWT and represents the logged in user. It is often used by your app.

is it possible to use both the access_token and the id_token for accessing the protected resources ?

Not completely, first, you need to use id_token to log in,
second, you will get a accessToken,
last, use accessToken to access data.

Share:
25,045
ajaybc
Author by

ajaybc

Updated on March 12, 2020

Comments

  • ajaybc
    ajaybc about 4 years

    Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.

    Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.

    My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?

  • Learning-Overthinker-Confused
    Learning-Overthinker-Confused over 6 years
    I am bit confused with this open id connect and oauth2 implementation.I am having a front end(html,angularjs) and back end webservice.Now i want to implement token based mechanism during login so with login user will send clientid,emailid,password and in the backend i will validate client id other credentials after that i will issue a token to user and with the help of that token user will maintain that user session.So where does openid connect comes and how it will be usefull to me.Can you please provide some insight to me as i am really confused here please
  • Zólyomi István
    Zólyomi István over 6 years
    As far as I understand, you don't need authorization, only authentication. If so then you should simply use OpenId or an SSO solution, but you don't need OAuth or OpenId Connect at all.
  • Ashokan Sivapragasam
    Ashokan Sivapragasam about 5 years
    For SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA cannot talk to OAuth Token Endpoint because of CORS Policy.
  • Ashokan Sivapragasam
    Ashokan Sivapragasam about 5 years
    @ZólyomiIstván, for SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA cannot talk to OAuth Token Endpoint because of CORS Policy.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to OAuth 2.0 with Retrofit Android
Using PHP cURL to POST data on /oauth2/access_token and GET data as jSON
Angular JS and Twitter API, how can we hook them up
Refresh token with Keycloak
How to call a REST API using Azure Data Factory Pipelines?
What is callback url in instagram api and how to can I implement it
Instagram API returning 400 (Bad Request)
How to start with OAuth Client Credentials to protect WebApi using OWIN Oauth?
Identity Server 4 - Getting invalid_client error
How to add claims to access token get from IdentityServer3 using resource owner flow with javascript client