Reputation: 1973
oAuth2 Access Token with userinfo
We have a little argument in the company on the way to get user info with oAuth2.
the first developer is getting the user info inside the access token with the library spring-security-oauth2 and decode it.
The second developer use open id connect on the top of the oAuth2 with the library Nimbus, In this way you will get the user info from UserInfo Endpoint.
Which way is better parctice? and why to use open id connect if I can get my userinfo without this
Thanks for any help and explanations
Upvotes: 0
Views: 2275
Answers (1)
Reputation: 53958
An access token - and in fact bare OAuth 2.0 - cannot be used to authenticate the user. It can only be used to retrieve information about a user, which may not be the user that is operating the browser. See: https://oauth.net/articles/authentication/
So if you want to authenticate the user - in a standards compliant way - you need to use OpenID Connect.
Upvotes: 2
Related Questions
- Spring fails for userinfo endpoint returning signed JWT
- Spring Boot OAuth2 - Could not obtain user details from token
- Spring boot oauth2: No userInfo endpoint - How to load the authentication (Principal) from the JWT access token directly in the client
- How to get userinfo by jwt token in spring security oauth2 authorization server?
- Spring Boot OAuth2: How to retrieve user token info details
- Spring OAuth2, access ROLE with userInfoUri?
- Spring OAuth2 Access Token in HTTP Header
- spring-security : How to get OAuth2 userInfo during sso logged in?
- Spring OAuth2 - Create an access token
- Spring OAuth2- Passing token in Authorization: Bearer