Reputation: 335
Access Token from OIDC vs OAuth2.0
I know that the access token obtained from OAuth2.0 can be used to access protected resources.
OpenID Connect issues ID token and access token after authentication. And the spec says that the access token can be used to access userinfo endpoint to get additional user information.
One thing I'm not able to understand is, is there any difference between the access token obtained in #1 vs #2. If there is no difference then do we need OAuth2.0, if we implement OIDC.
Upvotes: 0
Views: 1110
Answers (2)
Reputation: 306
This access tokens have different audiences ("aud" claim): the OAuth 2.0 access token is intended for resource server (i.e. API), and OIDC access token is intended for identity server itself. As for me, they cannot be used interchangebly, but some examples (e.g. IdentityServer4) do that without checking the "aud" claim.
PS. The single access token can be used for both purposes if both audiences are included:
Each principal intended to process the JWT MUST identify itself with a value in the audience claim.<...> In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value.
Upvotes: 1
Reputation: 29243
You tend to just implement both OIDC and OAuth 2.0 together as a combined flow, by plugging in an Open Id Connect security library.
Eg For a mobile app it is common to plug in AppAuth Libraries, which would give you this behaviour:
- An OAuth 2.0 authorization redirect using response_type=code
- The Open Id Connect part is initiated by including scope=openid
- You then get an authorization code (OAuth 2.0)
- You then swap the authorization code for tokens
- You get an access token (the OAuth 2.0 part)
- You also get an id token (the OIDC part)
In practical terms OIDC introduces some standardisation that makes developing UI flows and dealing with access tokens in APIs easier, eg:
- Metadata endpoint, to tell us where all the other endpoints live
- JWKS endpoint, from which we can get the access token's public key
Typically in my own code I do not use the id token much at all. However, it is best practice to receive one, so that libraries such as AppAuth can make extra verification checks against received tokens.
If it helps, my Message Workflow Blog Post summarises some messages and use of endpoints.
Upvotes: 1
Related Questions
- Clarification on id_token vs access_token
- OpenId connect and OAuth 2.0 password grant - what is the difference?
- OpenID Connect : Is it fine to use id_token as access_token?
- Still struggling to understand Id Token vs Access Token in OIDC / OAUTH2.0
- Why we need OIDC ID Token?
- OAuth2.0 and OpenID Connect Confusing
- OIDC OAuth 2.0 Authentication and Authorization
- OAuth 2.0 and OpenID Connect
- Google Authentication : OAuth2.0 Vs OpenID Connect
- Difference between OpenID connect and oAuth2 from an oAuth client perspective