Developers often confuse ID and Access Tokens in OAuth. They can both be encoded as JWT, but the content and purpose are also different.
An ID token contains the identity information about the authenticated users, and it is intended to be consumed by the front-end application.
On the other hand, an access token represents a ticket with permission to consume an API.
The ID token and the access token are negotiated with an Authorization Server using OAuth 2.0, but the profile for getting each one is different.
An ID token is negotiated with Open ID connect when the scope is set to idtoken. Additional information can be requested to be added to that token when the scope is also set to profile and email. When the authorization server receives those scopes, and the user consents to share their identity with the front-end application, it issues an id token containing attributes or claims representing the user identity. Those claims are part of the OIDC specification and usually include,
- Name
- Nick Name
- Picture
- Email
- Given Name
- Family Name
- Email_Verified
The audience set for this token is the front-end application, and this part is significant as it should only be consumed by this application and not an API.
Optionally, this ID token can also contain roles if you use the RBAC model to drive authorization decisions on the UX.
On the other hand, an access token does not contain any information about the user's identity. The scope passed by the front end on the authorization request defines the intended audience for the access token or the API this token provides access for. The token can be reused to consume other Web APIs by having that audience attribute.
Also, this access token does not contain any information about the user identity, but it could potentially include user roles if the API implements a RBAC model.
As an optimization, ID and Access token can be negotiated in a single request to the Authorization Server. When that's the case, the front end includes idtoken + api as part of the scope of the authorization request. The authorization server will return an ID token and an access token for that API in a single shot. The illustration shows that the front end used OpenID Connect + OAuth 2.0 PCKE to get the ID and access tokens.
For example, a react application consumes a backend web API for a CRM. That API was previously registered in the authorization server with the scope "api://crm". The react app will send an authorization request to the authorization server containing the following scope "idtoken api://crm". That will tell the authorization server that the application wants to authenticate the user and also asks for authorization to consume the CRM API on behalf of the same user. If the user approves that request, the authorization server will return a code that the app can use later to redeem the ID token and the access token for the CRM API.
FAQs
They can both be encoded as JWT, but the content and purpose are also different. An ID token contains the identity information about the authenticated users, and it is intended to be consumed by the front-end application. On the other hand, an access token represents a ticket with permission to consume an API.
What is the difference between Google Id_token and Access_token? ›
Unlike access tokens, which are opaque objects that cannot be inspected by the application, ID tokens are meant to be inspected and used by the application. Information from the token, such as Who signed the token or the identity for whom the ID token was issued, is available for use by the application.
What is the difference between Microsoft ID and access token? ›
Third-party applications are intended to understand ID tokens. ID tokens shouldn't be used for authorization purposes. Access tokens are used for authorization. The claims provided by ID tokens can be used for UX inside your application, as keys in a database, and providing access to the client application.
What is the difference between Okta ID_token and access token? ›
Access tokens vs ID tokens
As mentioned earlier, it's important that the resource server (your server-side app) accepts only the access token from a client. Access tokens are intended for authorizing access to a resource. ID tokens, on the other hand, are intended for authentication.
What is the difference between session ID and access token? ›
Sessions store data server-side, while tokens keep it local, offering flexibility and scalability. However, both methods have their considerations, such as resource management and security protocols. The choice between them depends on the specific needs and priorities of the application.
Should I use access or ID token? ›
They can both be encoded as JWT, but the content and purpose are also different. An ID token contains the identity information about the authenticated users, and it is intended to be consumed by the front-end application. On the other hand, an access token represents a ticket with permission to consume an API.
How can you tell the difference between ID token and access token? ›
The differences between ID Tokens and Access Tokens
ID Tokens are JSON Web Tokens (JWT) that contain claims about a user's identity, such as their username, email, etc. Access Tokens are used to grant applications permission to access server resources on behalf of the user.
What is the purpose of an ID token? ›
ID tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience.
What is the difference between ID token and access token API gateway? ›
The identity token is used to authorize API calls based on identity claims of the signed-in user. The access token is used to authorize API calls based on the custom scopes of specified access-protected resources. For more information, see Using Tokens with User Pools and Resource Server and Custom Scopes.
What is the difference between AWS access and ID token? ›
The ID token contains claims about their identity, like their username, family name, and email address. The access token contains claims like scope that the authenticated user can use to access third-party APIs, Amazon Cognito user self-service API operations, and the UserInfo endpoint.
When ID tokens are available, you can use them to securely authenticate with your app's backend, or to automatically sign up the user for a new account without the need to verify the user's email address. To sign in or sign up a user with an ID token, send the token to your app's backend.
Why use access tokens? ›
Access tokens are used in token-based authentication to allow an application to access an API. The application receives an access token after a user successfully authenticates and authorizes access, then passes the access token as a credential when it calls the target API.
How to get ID token from access token Google? ›
Methods for getting an ID token
- Get an ID token from the metadata server.
- Use a connecting service to generate an ID token.
- Generate an ID token by impersonating a service account.
- Generate a generic ID token for development with Cloud Run and Cloud Functions.
ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server. ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
What is ID token access token and refresh token? ›
Access tokens are used in token-based authentication to gain access to resources by using them as bearer tokens. Refresh token is a long-lived special kind of token used to obtain a renewed access token. ID token carries identity information encoded in the token itself, which must be a JWT.
Is API key the same as access token? ›
API keys are typically associated with specific servers the calling application is deployed on. When the application makes an API request, the server identifies the calling application by the API key. In contrast, an API token is a string of codes containing comprehensive data that identifies a specific user.
What is GoogleIDToken? ›
You need a Google-signed ID token for the following authentication use cases: Accessing a Cloud Run service. Invoking a Cloud Function. Authenticating a user to an application secured by Identity-Aware Proxy (IAP) Making a request to an API deployed with API Gateway or Cloud Endpoints.
What is access token in Google? ›
If the user grants at least one permission, the Google Authorization Server sends your application an access token (or an authorization code that your application can use to obtain an access token) and a list of scopes of access granted by that token.
