Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between id_token and access_token in Auth0

In Auth0 you can use refresh tokens. In this link, we can see many returned parameters:

lock.showSignin({
  authParams: {
    scope: 'openid offline_access'
  }
}, function (err, profile, id_token, access_token, state, refresh_token) {
  // store refresh_token
});

Apparently, access_tokens can be used to retrieve user profile data. But this appears to be specific to oauth, and I thought auth0 uses openid?

What is the difference between id_token and access_token?

like image 681
Scott Coates Avatar asked Jul 18 '15 20:07

Scott Coates


People also ask

What is the difference between Access_token and Id_token?

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

What is Auth0 Id_token?

An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0.

What is Id_token used for?

ID tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience.

Can I use Id_token for authentication?

The short answer here is that ID tokens are for authenticating a user and access tokens for authorizing access to an API. ID tokens are meant for the client only, access tokens the API only. ID tokens do not authorize the user to access an API and trying to use them as such is an abuse of their purpose.


2 Answers

OpenID Connect is built on top of OAuth2.

  • An access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.
  • An id_token is a JWT and represents the logged in user. It is often used by your app.
  • A refresh_token (only to be used by a mobile/desktop app) doesn't expire (but is revokable) and it allows you to obtain freshly minted access_tokens and id_token.
like image 94
Eugenio Pace Avatar answered Oct 18 '22 22:10

Eugenio Pace


The resource server (your server-side application) accept only the access token from a client. This is because access tokens are intended for authorizing access to a resource. ID Tokens, on the other hand, are intended for authentication. This granted by the OpenID Provider that contains information about an End-User. source

Access tokens are the thing that applications use to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data. Access tokens must be kept confidential.

The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it. Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token. source

The lifetime of a refresh token is up to the (AS) authorization server — they can expire, be revoked, etc. The difference between a refresh token and an access token is the audience: the refresh token only goes back to the authorization server, the access token goes to the (RS) resource server. source

like image 34
Premraj Avatar answered Oct 18 '22 21:10

Premraj