Insights

OAuth Access vs ID Token

Blog Post
December 19, 2024
What's the difference between the ID Token and the Access Token?

ID Tokens

Use ID Token when:

  • The token has all the user information you need
  • You just need to determine if the user is logged in, after which you establish some kind of session, e.g. with a SESSION_ID
Browser to App
ID Token Gets Sent Directly to App

ID tokens carry some information about a user. In most configurations (RS256), your oauth2 library will validate the token automatically.

Here's an example. ID Tokens are JWTs (pronounced "jawt," though people around me tend to say "jay-double-u-tee").

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpERFltSjBfdXpXWTE1clV2RUtpdyJ9.eyJuaWNrbmFtZSI6Im15dXNlciIsIm5hbWUiOiJteXVzZXJAZXhhbXBsZS5jb20iLCJwaWN0dXJlIjoiaHR0cHM6Ly9zLmdyYXZhdGFyLmNvbS9hdmF0YXIvODQzYjMxMTYxYzBkZjYxNWU0OWMxN2IxZWVhMmQ4OWM_cz00ODAmcj1wZyZkPWh0dHBzJTNBJTJGJTJGY2RuLmF1dGgwLmNvbSUyRmF2YXRhcnMlMkZteS5wbmciLCJ1cGRhdGVkX2F0IjoiMjAyMy0wNi0wNFQwMToyNzowOS41NDZaIiwiaXNzIjoiaHR0cHM6Ly9kZXYtY2Uwb252eDIudXMuYXV0aDAuY29tLyIsImF1ZCI6Im1jN0NLMjA2TWswbG9TaElrOGF2NGVvUktrRU9nbWtPIiwiaWF0IjoxNjg1ODQzMDIyLCJleHAiOjE2ODU4NzkwMjIsInN1YiI6ImF1dGgwfDY0N2E0OTU2ZGNmNWQ3NGEwNWExNjk5NiIsInNpZCI6IkpzUm1UVWYzN0YtelIydkt0U3RkRE1WNEJEdFQ3MTB0In0.dw4MI1eNb4HP8CPF1-xA8ezPuLRf0a5XH8Bp85B-fWzS-HYyF9pzN0otjo5PD0lWoUbPN9ZF5UbRHAYdcrkopCPpOXLyNc_cPPdNWWlu7NJ84IRZViBFpSFQkQv97uK7sTxI8vKefannZ5gjevAJLzp3JVULyrrD4h2I2g5L8tFmaCJ3tOjl_FBDc0O_ISwH8wV9GCdXlrkhTCuugRClauUzPgNHRiOoGxgAG3QlVcm6OGCewBqF2nSTUwMKIE01zcNAewIn4cSUsynNg-AnUCNU9SEQ658Tezk6JfALqJZWqvdn8V7ZOt2o7BLx9K7eI-3zwKHWm6VL2r5-K2NtYw

If we paste this into jwt.io, we find that the token decodes to


{
"nickname": "myuser",
"name": "myuser@example.com",
"picture": "https://s.gravatar.com/avatar/843b31161c0df615e49c17b1eea2d89c?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fmy.png",
"updated_at": "2023-06-04T01:27:09.546Z",
"iss": "https://dev-ce0onvx2.us.auth0.com/",
"aud": "mc7CK206Mk0loShIk8av4eoRKkEOgmkO",
"iat": 1685843022,
"exp": 1685879022,
"sub": "auth0|647a4956dcf5d74a05a16996",
"sid": "JsRmTUf37F-zR2vKtStdDMV4BDtT710t"
}

Additional data may be included in an ID token, like the user's roles, but the ID token may not be the best place for this.

Access Tokens

Use Access Tokens when:

  • An application needs to access a "resource" on the user's behalf

For example, you might grant a drawing application access to your google drive so it can save images (😬). In this case he "resource" is google drive. Other resources might be your calendar, your gmail, a slack channel, an ecommerce order, your account information, etc.

This could be on the server side,

Or it might be a single-page application (SPA) or mobile app calling services directly

spa resource access
💀💀💀

The Userinfo Service

If you find yourself wanting to read user information from an access token directly by decoding it, you're probably misusing it. We treat them as opaque tokens.

However, there is an endpoint in most Authorization servers that will offer up information about a user. It is just another resource, so your application can access it on behalf of the user. Typically it is at /userinfo. For example, in an Auth0 tenant https://dev-nnnnnnnn.us.auth0.com/userinfo is the userinfo service, and it can be called by passing an access token in the Authorization header, e.g.


Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtY2Uwb252eDIudXMuYXV0aDAuY29tLyJ9..0R4ADXfO4iyBbpKe.HfxAFBwAoZRxblcCu6mV3VOAlpdhvs77OAwU9EGOnryWcl2Us__V8VbRLgrwpraRB1pnBF3XSAYbeuD0oIrkyRnDBaNRrBU40jSxjfw2oVmYmBnNl-UEiTIqPDKUg643ACXowcBJHXbg0A5vAyJ3riWMz-ZLJ6bJ8f1pOUBbJK9V3VBPyXgjaXxDeb0GbVrHj2eYIql4rtJ9M4xz1BxqNmSPIyONyyaHxOxpHB--wOXm8xN8FlqNER4sgIPzqvTrqyXDfybcXVHzlHUPo8o7i9vMUKYw7Q0seERJ8IOmfw1W9pqKoXLgetnTPhg.V-Vsvws46TZ06DYMseYD8w

Auth0 responds with something like this, which you'll notice bears some similarity to the ID Token above.


{
"sub": "auth0|647a4956dcf5d74a05a16996",
"nickname": "myuser",
"name": "myuser@example.com",
"picture": "https://s.gravatar.com/avatar/843b31161c0df615e49c17b1eea2d89c?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fmy.png",
"updated_at": "2023-06-04T01:49:03.868Z"
}

About Me

Tom McLaughlin is a Software Developer residing in Nebraska, where he is safe from shark attacks, but Potato Oles lurk around every corner. You can find him on LinkedIn and Github.

Potato Oles

Latest News and Insight

White Paper
December 3, 2024
Bridging the Gap: Legacy System Revitalization and Knowledge Transition for Client
Blog Post
September 19, 2024
Real-world transformation: See how we helped a large pet store company with a rewrite and other enhancements for their e-commerce site
Blog Post
August 26, 2024
Navigating the IT and Software Engineering Job Market: The Great Reset
11425 Davenport St
Omaha, NE 68154
Email
hello@devobsessed.com
Phone
(402) 957-1262
Services
All ServicesElite Application & Software DevelopmentLegacy SystemsPlatform EngineeringData Preparedness & AI ReadinessTechnology AdoptionUser Experience & Project Management
Insights
AllBlog PostsWhite Papers
Careers
BenefitsCurrent Opportunities
About Us
IntroductionTeam
© DevObsessed All rights reserved 2024.
Privacy Policy