ID Tokens vs Access Tokens (2024)

FAQs

ID Tokens vs Access Tokens? ›

The ID tokens concern the user authentication process, demonstrating how the system knows you, while Access tokens concern an authorisation decision proving that the intent has been authorised.

They can both be encoded as JWT, but the content and purpose are also different. An ID token contains the identity information about the authenticated users, and it is intended to be consumed by the front-end application. On the other hand, an access token represents a ticket with permission to consume an API.

The differences between ID Tokens and Access Tokens

ID Tokens are JSON Web Tokens (JWT) that contain claims about a user's identity, such as their username, email, etc. Access Tokens are used to grant applications permission to access server resources on behalf of the user.

Access tokens vs ID tokens

Access tokens are intended for authorizing access to a resource. It's important that the resource server (your server-side app) accepts only an access token from a client. ID tokens, on the other hand, are intended for authentication.

Unlike access tokens, which are opaque objects that cannot be inspected by the application, ID tokens are meant to be inspected and used by the application.

We recommend against storing ID tokens. If you must do so, ensure that you clear the tokens when users log out or delete accounts. In contrast to traditional web apps, single-page applications (SPAs) require client-side API calls to process user interactions.

Information in ID tokens enables the client to verify that a user is who they claim to be. Third-party applications are intended to understand ID tokens. ID tokens shouldn't be used for authorization purposes. Access tokens are used for authorization.

The ID token contains claims about their identity, like their username, family name, and email address. The access token contains claims like scope that the authenticated user can use to access third-party APIs, Amazon Cognito user self-service API operations, and the UserInfo endpoint.

Sessions store data server-side, while tokens keep it local, offering flexibility and scalability. However, both methods have their considerations, such as resource management and security protocols. The choice between them depends on the specific needs and priorities of the application.

ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server. ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.

What is the purpose of ID token in OIDC? ›

The ID token

Asserts the identity of the user, called subject in OpenID (sub). Specifies the issuing authority (iss). Is generated for a particular audience, i.e. client (aud). May contain a nonce (nonce).

The token is stored at the client-side. This makes it easier for an attacker to obtain the access token.

In an ID token, the claims include user attributes and information about the user pool, iss , and app client, aud . In an access token, the payload includes scopes, group membership, your user pool as iss , and your app client as client_id . The signature isn't decodable base64 like the header and payload.

The access token allows for access to different APIs and protected resources. The refresh token lets you mint new access tokens. The id token from OpenID Connect (OIDC) is used by the client to display information about the user.

Identity token is used to authenticate users to your resource servers or server applications. For example, if you use Cognito as authorizer in AWS API Gateway you need to use Identity token to call API. The purpose of the access token is to authorize API operations in the context of the user in the user pool.

Access tokens are used in token-based authentication to allow an application to access an API. For example, a Calendar application needs access to a Calendar API in the cloud so that it can read the user's scheduled events and create new events.