Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ID token or /userinfo for Identity assertion

Tags:

security

openid-connect

oauth-2.0

After authenticating with a provider, an application will often receive both an ID token and an access token on behalf of the user. Now it seems there are two ways to assert who the user is.

  1. Verify the ID token and then read the ID token.
  2. Pass the access token to the userinfo endpoint and read the JSON response.

Both seem like acceptable avenues, but are there certain scenarios in which one or the other should be used?

like image 555
Panda Avatar asked Sep 14 '17 06:09

Panda

People also ask

What are ID tokens used for?

ID tokens are issued by the authorization server and contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID Tokens allows the client to verify that a user is who they claim to be.

What is the difference between ID token and access token?

ID tokens are JSON Web Tokens (JWTs) that conform to the OpenID Connect (OIDC) specification. They are composed of a set of key-value pairs called claims. Unlike access tokens, which are opaque objects that cannot be inspected by the application, ID tokens are meant to be inspected and used by the application.

What is the use of ID token in OpenID Connect?

An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0.

What is UserInfo?

A dictionary containing app-specific state information needed to continue an activity on another device.

2 Answers

If you have both tokens and the ID token contains all info you need, you can use either way. Below are few differences that came to my mind:

  • Verifying and reading an ID token can be done without accessing its OAuth2 server (if you have its certificate already downloaded locally), which makes it faster and there are fewer possible errors to deal with - no network requests.
  • If the user info was changing often, an ID token could contain obsolete data, but it's hardly ever a case.
  • Access tokens can be revoked (ID tokens cannot), so if you need it, they will do the job better.
like image 71
Ján Halaša Avatar answered Oct 28 '22 22:10

Ján Halaša

Apart from the technical differences there's a semantic difference as well: the id_token and the info in the there represents and identifies an authenticated user. That user is "present" and logs in to the application.

The access_token and the information returned from the userinfo endpoint represents information about the user who issued the access token to the entity that presents it. That user doesn't need to be "present" or logged in (anymore).

An id_token is typically "one-time usage" and an access_token usually can be used for a short period of time.

Now in the case that both tokens are issued and received at the same time when a user logs in with OpenID Connect, the two overlap.

like image 22
Hans Z. Avatar answered Oct 28 '22 22:10

Hans Z.
Sign in to Comment

Related questions

Security vulnerability testing tool for .NET web applications? [closed]
NetSqlAzMan vs AzMan vs (?????)
Restricting Python's syntax to execute user code safely. Is this a safe approach?
Secure method for storing/retrieving a PGP private key and passphrase?
MVC5 AntiForgeryToken Claims/"Sequence contains more than one element"
Spring Security custom UserDetailsService and custom User class
Exposing a few calls from an existing asp.net-mvc site to other REST clients within an intranet?
Swift and Stack smashing protection
How to assign table ownership to multiple users or group in Redshift
How to obtain codesigned application certificate info
AMF and Cross Site scripting vulnerabilty confusion
Deleting Files Permanently and Securely on CentOS
Java storing sensitive 'key' as String or char[]? [duplicate]
Mac Code Signing: Bypass the Keychain Access private key prompt from Terminal
CWE vs CVE in terms of their usage
Does CORS and XSS have any connection?
Support for File Security in .NET Core
How to protect against CSRF on a static site?
CRL and OCSP behavior of iOS / Security.Framework?
Convert RSA Public Key to PEM Format

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!