34

Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.

Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.

My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?

ajaybc
  • 4,049
  • 7
  • 44
  • 57
  • Note that access_token is usually a random number while the id_token contains some private info about the user: it's name, email and probably some others. Thus it's not a good idea to use the id_token widely across the system because it may leak e.g. printed to logs or shown on error page etc. – Sergey Ponomarev Feb 27 '20 at 09:58

4 Answers4

49

Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)

The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.

Zólyomi István
  • 2,401
  • 17
  • 28
  • I am bit confused with this open id connect and oauth2 implementation.I am having a front end(html,angularjs) and back end webservice.Now i want to implement token based mechanism during login so with login user will send clientid,emailid,password and in the backend i will validate client id other credentials after that i will issue a token to user and with the help of that token user will maintain that user session.So where does openid connect comes and how it will be usefull to me.Can you please provide some insight to me as i am really confused here please – I Love Stackoverflow Oct 30 '17 at 08:11
  • As far as I understand, you don't need authorization, only authentication. If so then you should simply use OpenId or an SSO solution, but you don't need OAuth or OpenId Connect at all. – Zólyomi István Oct 31 '17 at 09:12
  • 1
    @ZólyomiIstván, for SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA cannot talk to OAuth Token Endpoint because of CORS Policy. – Ashokan Sivapragasam Apr 24 '19 at 06:11
7

Another angle to provide an answer:

id_token

  • An id_token is a JWT - make note of that!
  • It contains claims about the identity of the user/resource owner
  • Having a valid id_token means that the user is authenticated

access_token

  • An access_token is a bearer token
  • A bearer token means that the bearer can access the resource without further identification
  • An access_token can be a JWT (see Appendix point 1.) or opaque

If you want to read more: Types of tokens in oidc and oauth

human
  • 2,250
  • 20
  • 24
3

access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.

id_token is a JWT and represents the logged in user. It is often used by your app.

is it possible to use both the access_token and the id_token for accessing the protected resources ?

Not completely, first, you need to use id_token to log in,
second, you will get a accessToken,
last, use accessToken to access data.

Mike Yang
  • 2,581
  • 3
  • 24
  • 27
  • For SPA, it looks like it uses 'id_token' in place of 'access_token'. Is it true that 'id_token' is taking over in this special case for SPA? One reason is that, SPA cannot talk to OAuth Token Endpoint because of CORS Policy. – Ashokan Sivapragasam Apr 24 '19 at 06:10
0

Here is an article that describes why the id_token was introduced and what was it's initial purpose: Why we need a id_token in OpenID Connect & Facebook Connect. In short they tried to standardize the Hybrid Flow that was used by the Facebook.

We considered was using the id_token as the access_token. We rejected that option because:

  • Many providers have existing OAuth token formats for there endpoints that wo uld be difficult to change.
  • We don't want long term access tokens being stored in the browser as cookies.
  • There are clearly separate recipients of the two tokens overloading the semantics of the two tokens would reduce flexibility and increase complexity in the long term.
Sergey Ponomarev
  • 2,947
  • 1
  • 33
  • 43