Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth 2 access_token vs OpenId Connect id_token

Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.

Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.

My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?

like image 315
ajaybc Avatar asked Oct 10 '13 10:10

ajaybc


People also ask

What is the difference between OAuth 2.0 and OpenID Connect?

OAuth 2.0 is designed only for authorization, for granting access to data and features from one application to another. OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.

When to use OpenID Connect vs OAuth?

Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.

What is OAuth Id_token?

The id_token is used in OpenID Connect protocol, where the user is authenticated as well as authorized. (There's an important distinction between authentication and authorization.) You will get id_token and access_token. The id_token value contains the information about the user's authentication.

Can I use Id_token for authentication?

The short answer here is that ID tokens are for authenticating a user and access tokens for authorizing access to an API. ID tokens are meant for the client only, access tokens the API only. ID tokens do not authorize the user to access an API and trying to use them as such is an abuse of their purpose.


2 Answers

Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)

The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.

like image 181
Zólyomi István Avatar answered Oct 13 '22 20:10

Zólyomi István


Another angle to provide an answer:

id_token

  • An id_token is a JWT - make note of that!
  • It contains claims about the identity of the user/resource owner
  • Having a valid id_token means that the user is authenticated

access_token

  • An access_token is a bearer token
  • A bearer token means that the bearer can access the resource without further identification
  • An access_token can be a JWT (see Appendix point 1.) or opaque

If you want to read more: Types of tokens in oidc and oauth

like image 6
human Avatar answered Oct 13 '22 20:10

human