Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID Connect - should the id token be sent to the protected resource in this case?

Lets say I have a web API that a native application needs to make requests to. This API needs to authenticate who the user is that's making these requests via the native app. OpenID Connect seems to be the right choice since it is about authentication rather than authorization with OAuth.

The native app sends the users credentials to the IDP and gets back an access token (for authorization) and an id token (for authentication). From what I understand of OIDC, the access token would be sent to the API but the id token is only for the native client app. That doesn't make sense to me because it's the API that cares about who the user is, not the native app.

So why isn't the id token also passed to the protected resource (aka the API)? If you don't pass the id token to the API, what guarantees that the access token is secure and can be used to authenticate the user? Otherwise it would seem to lose the benefit of using OIDC over OAuth.

like image 588
AndyB Avatar asked Dec 24 '22 15:12

AndyB


1 Answers

The OIDC Specification is designed in a way that ID tokens are always for Clients (Native app) and Access tokens are for resources (APIs). The ID tokens are always JWT tokens, but the Access tokens can be of different type.

The purpose of Access token is not to authenticate but to Authorize (Delegated Authorization). If, for some reason, the resource server wanted to know about the user, it can call the user-info endpoint.

The security/validity of token exchange can be validated in several ways:

  • Using encryption/signature with Public/Private key model where Authorization server encrypts / signs the access token with its private key and resource server decrypts / verifies with the public key.

  • Using token introspection endpoint to validate the claims, validity of the token etc..

Other attributes like AUD , AZP help in validating the issued access tokens.

Some OIDC providers use ID_Tokens to access API's - this is different to the model suggested by OIDC specification

This article has detailed explanation about these scenarios.

like image 77
Karthik Avatar answered Feb 13 '23 06:02

Karthik