Reputation: 51
Id tokens vs access tokens
Auth0 claim I should ALWAYS use an access token to secure an API.
If I have control over both my client app and my backend API - why is it wrong to validate the id token as my authorization for my API? Id tokens signed with asymmetric keys seems secure - I don't understand how this is less secure than an access token.
Upvotes: 5
Views: 1244
Answers (2)
Reputation: 1968
Access Tokens from Auth0 implement a Sender constraint principle, which makes tokens invalid when used by an attacker. The article you've mentioned might be a bit confusing, as it you might think they're talking about any Access Token, when they're actually talking specifically about theirs.
Keeping that in mind, most of other tokens will have the same security level, as long as they expire and can be refreshed. The difference is purpose/semantic, as mentioned in other responses.
Upvotes: 0
Reputation: 53928
It is not so much about security more more about usability and semantics. An id_token is supposed to represent an authentication event: it is short-lived and (primarily) designed to be one-time usage only, Those properties don't make it a good token for API usage.
Upvotes: 4
Related Questions
- Clarification on id_token vs access_token
- What are the main differences between JWT and OAuth authentication?
- Still struggling to understand Id Token vs Access Token in OIDC / OAUTH2.0
- Google Sign In - Difference between Access Token, Authentication Token and JWT ID Token
- What is the difference between ID token and access token, and how to implment them using JWT?
- can we use ID Token as an Access Token?
- When authenticating with a JWT should custom scope(permissions/claims) go in access token or id token?
- What is the difference between id_token and access_token in Auth0
- To use ID Token or Access Token against an API server
- JWT access token security considerations