Reputation: 3715
Clarification needed on why Client application should need both idtoken and access token
Client application fetches the idtoken for authentication. But for the resource server, it needs to again make a call to Auth server and fetch the access token. Hence, does it make sense to make two calls for every oauth2.0 flow. The access token is what will be sent to the resource server. Am I missing something here.
Upvotes: 0
Views: 42
Answers (1)
Reputation: 19921
With OpenID Connect, the ID-token is returned to the client at the same time as the access-token. So there is no specific need to make two requests to get the two tokens.
If you ask for an refresh token as well, then that one will also be returned at the same time.
The API (Resource Server) only receives access tokens from the client and it can without asking the identity provider validate the token. The API does not receive any ID-token.
Upvotes: 1
Related Questions
- Clarification on id_token vs access_token
- Still struggling to understand Id Token vs Access Token in OIDC / OAUTH2.0
- Why we need OIDC ID Token?
- OAuth2 Client Credential flow - What is the purpose of getting an access token?
- What is the OpenID Connect access token for?
- Understanding OpenId Connect client_credentials grant in terms of identity
- What is the use of openid id_token
- Using OpenID Connect ID token for application-to-application authentication/authorization
- Problems understanding how OAuth 2.0 and OpenID Connect work together
- Understanding the need of client id, client secret in oauth 2.0