ID token or /userinfo for Identity assertion

Question

After authenticating with a provider, an application will often receive both an ID token and an access token on behalf of the user. Now it seems there are two ways to assert who the user is.

1. Verify the ID token and then read the ID token.
2. Pass the access token to the userinfo endpoint and read the JSON response.

Both seem like acceptable avenues, but are there certain scenarios in which one or the other should be used?

Answer 1

If you have both tokens and the ID token contains all info you need, you can use either way. Below are few differences that came to my mind:

• Verifying and reading an ID token can be done without accessing its OAuth2 server (if you have its certificate already downloaded locally), which makes it faster and there are fewer possible errors to deal with - no network requests.
• If the user info was changing often, an ID token could contain obsolete data, but it's hardly ever a case.
• Access tokens can be revoked (ID tokens cannot), so if you need it, they will do the job better.

Answer 2

Apart from the technical differences there's a semantic difference as well: the id_token and the info in the there represents and identifies an authenticated user. That user is "present" and logs in to the application.

The access_token and the information returned from the userinfo endpoint represents information about the user who issued the access token to the entity that presents it. That user doesn't need to be "present" or logged in (anymore).

An id_token is typically "one-time usage" and an access_token usually can be used for a short period of time.

Now in the case that both tokens are issued and received at the same time when a user logs in with OpenID Connect, the two overlap.