Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenID Connect - should the id token be sent to the protected resource in this case?

Tags:

security

openid-connect

oauth-2.0

single-sign-on

Lets say I have a web API that a native application needs to make requests to. This API needs to authenticate who the user is that's making these requests via the native app. OpenID Connect seems to be the right choice since it is about authentication rather than authorization with OAuth.

The native app sends the users credentials to the IDP and gets back an access token (for authorization) and an id token (for authentication). From what I understand of OIDC, the access token would be sent to the API but the id token is only for the native client app. That doesn't make sense to me because it's the API that cares about who the user is, not the native app.

So why isn't the id token also passed to the protected resource (aka the API)? If you don't pass the id token to the API, what guarantees that the access token is secure and can be used to authenticate the user? Otherwise it would seem to lose the benefit of using OIDC over OAuth.

like image 588
AndyB Avatar asked Dec 24 '22 15:12

AndyB

1 Answers

The OIDC Specification is designed in a way that ID tokens are always for Clients (Native app) and Access tokens are for resources (APIs). The ID tokens are always JWT tokens, but the Access tokens can be of different type.

The purpose of Access token is not to authenticate but to Authorize (Delegated Authorization). If, for some reason, the resource server wanted to know about the user, it can call the user-info endpoint.

The security/validity of token exchange can be validated in several ways:

  • Using encryption/signature with Public/Private key model where Authorization server encrypts / signs the access token with its private key and resource server decrypts / verifies with the public key.

  • Using token introspection endpoint to validate the claims, validity of the token etc..

Other attributes like AUD , AZP help in validating the issued access tokens.

Some OIDC providers use ID_Tokens to access API's - this is different to the model suggested by OIDC specification

This article has detailed explanation about these scenarios.

like image 77
Karthik Avatar answered Feb 13 '23 06:02

Karthik
Sign in to Comment

Related questions

Restrict my iOS device to a particular app
Is there an equivalent to yaml.safe_load in Ruby?
Can any third-party load embedded resources from my project?
Changing java security file in windows
How secure is it to block IP addresses in .htaccess?
ASP.NET MVC ValidateAntiForgeryToken — can it be replaced with authorization check & referrer check?
Is there any way to Hash a password using BCrypt in classic ASP?
How to make web based python interactive shell
Where to store MySQL credentials in PHP scripts?
EJB Invocation failed on component by java.security.AccessControlException
How to properly escape raw SQL query (plainto_tsquery) in Postgres / node
Secure Coding Guidelines for Python
Elixir distributed security and whitelisting allowed nodes
Protect PHP endpoints called by AJAX
CryptographicException: Access denied - How to give access on User store?
Django password in PHP
Why Firebase can work on my app without INTERNET permission [duplicate]
Golang dropping privileges (v1.7)
Is there a way to have different ticket expiry lengths in OpenIddict?
How to create a public key store for microservices?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!