stackoom
  简体   繁体   中英

OAuth 2 access_token vs OpenId Connect id_token

 原文  2013-10-10 10:52:41       api/ oauth-2.0/ openid

Question

Although I have worked with OAuth 2 before, I am a newbie to Open ID Connect.

Reading the tutorials and documentations I have come across both access_token and id_token where access_token is the random unique string generated according to OAuth 2 and id_token is JSON Web Token which contains information like the id of the user, algorithm, issuer and various other info which can be used to validate it. I have also seen API providers who provide both the access_token and id_token and as far as I know it is for backward compatibility.

My question is that is it possible to use both the access_token and the id_token for accessing the protected resources ? Or is the id_token just for verification purposes and access_token is used for getting access to protected resources ?

4 answers

solution1
 45 ACCPTED  2013-10-18 07:20:34

Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)

The id_token is used to identify the authenticated user, eg for SSO. The access_token must be used to prove access rights to protected resources, eg for the userinfo endpoint in OpenId Connect.

solution2
 4  2020-03-11 13:31:23

Another angle to provide an answer:

id_token

  • An id_token is a JWT - make note of that!
  • It contains claims about the identity of the user/resource owner
  • Having a valid id_token means that the user is authenticated

access_token

  • An access_token is a bearer token
  • A bearer token means that the bearer can access the resource without further identification
  • An access_token can be a JWT (see Appendix point 1.) or opaque

If you want to read more: Types of tokens in oidc and oauth

solution3
 3  2017-09-05 07:10:44

access_token is useful to call certain APIs in Auth0 (eg /userinfo) or an API you define in Auth0.

id_token is a JWT and represents the logged in user. It is often used by your app.

is it possible to use both the access_token and the id_token for accessing the protected resources ?

Not completely, first, you need to use id_token to log in,
second, you will get a accessToken,
last, use accessToken to access data.

solution4
 0  2020-02-27 09:52:31

Here is an article that describes why the id_token was introduced and what was it's initial purpose: Why we need a id_token in OpenID Connect & Facebook Connect . In short they tried to standardize the Hybrid Flow that was used by the Facebook.

We considered was using the id_token as the access_token. We rejected that option because:

  • Many providers have existing OAuth token formats for there endpoints that wo uld be difficult to change.
  • We don't want long term access tokens being stored in the browser as cookies.
  • There are clearly separate recipients of the two tokens overloading the semantics of the two tokens would reduce flexibility and increase complexity in the long term.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Best practice for id_token vs. access_token use in AWS Lambda Is oauth 2.0 access_token IP dependant or not? OAuth access_token request -> forbidden Storing Oauth2 access_token without a database in Flask What are the security flaws of exposing OAuth access_token to a user? How to call an OAuth API once I have the access_token & refresh_token Facebook access_token for ads Request the access_token Instagram Rails API access_token OAuth (Access Token) Vs API Key
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM