OAuth 2 access_token vs OpenId Connect id_token

StackOverflow https://stackoverflow.com/questions/19293793

  •  30-06-2022
  •  | 
  •  

Question

Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.

Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.

My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?

Was it helpful?

Solution

Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)

The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.

OTHER TIPS

Another angle to provide an answer:

id_token

  • An id_token is a JWT - make note of that!
  • It contains claims about the identity of the user/resource owner
  • Having a valid id_token means that the user is authenticated

access_token

  • An access_token is a bearer token
  • A bearer token means that the bearer can access the resource without further identification
  • An access_token can be a JWT (see Appendix point 1.) or opaque

If you want to read more: Types of tokens in oidc and oauth

access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.

id_token is a JWT and represents the logged in user. It is often used by your app.

is it possible to use both the access_token and the id_token for accessing the protected resources ?

Not completely, first, you need to use id_token to log in,
second, you will get a accessToken,
last, use accessToken to access data.

Here is an article that describes why the id_token was introduced and what was it's initial purpose: Why we need a id_token in OpenID Connect & Facebook Connect. In short they tried to standardize the Hybrid Flow that was used by the Facebook.

We considered was using the id_token as the access_token. We rejected that option because:

  • Many providers have existing OAuth token formats for there endpoints that wo uld be difficult to change.
  • We don't want long term access tokens being stored in the browser as cookies.
  • There are clearly separate recipients of the two tokens overloading the semantics of the two tokens would reduce flexibility and increase complexity in the long term.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top