Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth 2 access_token vs OpenId Connect id_token

Tags:

openid

oauth-2.0

api

Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.

Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.

My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?

like image 315
ajaybc Avatar asked Oct 10 '13 10:10

ajaybc

People also ask

What is the difference between OAuth 2.0 and OpenID Connect?

OAuth 2.0 is designed only for authorization, for granting access to data and features from one application to another. OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.

When to use OpenID Connect vs OAuth?

Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.

What is OAuth Id_token?

The id_token is used in OpenID Connect protocol, where the user is authenticated as well as authorized. (There's an important distinction between authentication and authorization.) You will get id_token and access_token. The id_token value contains the information about the user's authentication.

Can I use Id_token for authentication?

The short answer here is that ID tokens are for authenticating a user and access tokens for authorizing access to an API. ID tokens are meant for the client only, access tokens the API only. ID tokens do not authorize the user to access an API and trying to use them as such is an abuse of their purpose.

2 Answers

Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)

The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.

like image 181
Zólyomi István Avatar answered Oct 13 '22 20:10

Zólyomi István

Another angle to provide an answer:

id_token

  • An id_token is a JWT - make note of that!
  • It contains claims about the identity of the user/resource owner
  • Having a valid id_token means that the user is authenticated

access_token

  • An access_token is a bearer token
  • A bearer token means that the bearer can access the resource without further identification
  • An access_token can be a JWT (see Appendix point 1.) or opaque

If you want to read more: Types of tokens in oidc and oauth

like image 6
human Avatar answered Oct 13 '22 20:10

human
Sign in to Comment

Related questions

Creating html doc from postman collection [closed]
Youtube Player API hide controls, hide info, hide related videos?
Http Status Code 400 vs 412
When working with most APIs, why do they require two types of authentication, namely a key and a secret?
POST JSON over CURL with basic authentication
Trello API: getting boards / lists / cards information
How to get GET parameters with ASP.NET MVC ApiController
how to use github api token in python for requesting
I need an alternative option to HttpClient in Android to send data to PHP as it is no longer supported
This page didn't load Google Maps correctly. See the JavaScript console for technical details
Embed Github contributions graph in website
What DNSs have API access? [closed]
Making a Git project open source when you have secret keys
What is an API token [closed]
How do I do geocoding and routing with OpenStreetMap? [closed]
Proxy in package.json not affecting fetch request
Does closing the inputstream of a socket also close the socket connection?
JSON import to Excel
Nodejs POST request multipart/form-data
Add identification to marker on google maps v2 api for android

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!