Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Clarification on id_token vs access_token

I'm building a system with OIDC and OAuth 2.0 (using Auth0), and I'm unsure how to properly use the id_token and access_token. Or rather, I'm confused about which roles to assign to the various services in my setup.

I have a fully static frontend-application (single-page app, HTML + JS, no backend) that ensures that the user is authenticated using the implicit flow against Auth0. The frontend-application then fetches data from an API that I am also building.

Now, which is right?

  • The frontend SPA is the OAuth client application
  • My API service is an OAuth resource server

...or:

  • The frontend and my API service are both the client application

If both my frontend and backend API can be considered to be the client, I see no real harm in using the id_token as the bearer token on requests from my frontend to my backend - this is appealing because then I can simply verify the signed token on the backend, and I have all the information about the user that I need. However, if my API is considered a resource server, I should probably use the access_token, but then I have to connect to Auth0's servers on every API request to both verify the token, and get basic user info, won't I?

I've read this which seems to suggest that the access_token is the only valid token for use with my API. But like I said, I'm not sure about the roles of the individual services. And using the id_token is tempting, because it requires no network connections on the backend, and contains information I need to extract the right data.

What is the right way to go about this?

like image 667
Christian Johansen Avatar asked Oct 11 '17 07:10

Christian Johansen


People also ask

What is the difference between Id_token and Access_token?

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

Can I use Id_token for authentication?

The short answer here is that ID tokens are for authenticating a user and access tokens for authorizing access to an API. ID tokens are meant for the client only, access tokens the API only. ID tokens do not authorize the user to access an API and trying to use them as such is an abuse of their purpose.

What is the Id_token used for?

ID tokens are issued by the authorization server and contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID Tokens allows the client to verify that a user is who they claim to be.

Is bearer token same as access token?

Bearer Tokens are the predominant type of access token used with OAuth 2.0. A Bearer Token is an opaque string, not intended to have any meaning to clients using it. Some servers will issue tokens that are a short string of hexadecimal characters, while others may use structured tokens such as JSON Web Tokens.


1 Answers

Your frontent is your OAuth client application, once it stores the token it can take actions on the OAuth flow. And your API service is resource server, because it accepts the access_token issued by your identity server.

Also I would say that your id_token stands for the identification of the logged user and may contain sensitive data for your app. The access_token is standing as your credential to access a resource.

At the end you will use an access_token to request a resource, and then if you need specific data from the logged in user (resource owner), you may request the ID token from the token endpoint.

like image 177
Arley Pádua Avatar answered Sep 25 '22 20:09

Arley Pádua