Why Use Access Tokens in Azure AD B2C When There is Only 1 App?

Question

If I only have 1 web app (or native app), why would I want to use access tokens as opposed to id tokens? The app should be able to call all methods in my WebApi. Maybe all users shouldn't be able to call all WebApi methods but access tokens don't help w/ that (as far as I know).

I could see value if I had multiple apps and I only wanted each app to have access to certain WebApi methods but not for the single app case.

Can you also state access tokens as compared to what? Just using id tokens? — Omer Iqbal, Nov 09 '17 at 22:38
yes, compared to id tokens. I've updated the question. @OmerIqbal — spottedmahn, Nov 10 '17 at 00:07
Found a related SO Post: [OAuth 2 access_token vs OpenId Connect id_token](https://stackoverflow.com/questions/19293793/oauth-2-access-token-vs-openid-connect-id-token) — spottedmahn, Nov 16 '17 at 17:47

score 2 · Accepted Answer · answered Nov 09 '17 at 20:58

If, logically, the front-end and back-end apps are the same application (i.e. they share the application identifier), then you don't have to issue an access token, as long as you don't want to implement any access decisions in the back-end app using scopes since an ID token isn't issued with these.

Why Use Access Tokens in Azure AD B2C When There is Only 1 App?

1 Answers1