Skip to main content
Blog Post

OAuth Access vs ID Token

Use ID Token when:

Tom McLaughlin
OAuth Access vs ID Token
What's the difference between the ID Token and the Access Token?

ID Tokens

Use ID Token when:

  • The token has all the user information you need
  • You just need to determine if the user is logged in, after which you establish some kind of session, e.g. with a SESSION_ID

ID tokens carry some information about a user. In most configurations (RS256), your oauth2 library will validate the token automatically.

Here's an example. ID Tokens are JWTs (pronounced "jawt," though people around me tend to say "jay-double-u-tee").

If we paste this into jwt.io, we find that the token decodes to

Additional data may be included in an ID token, like the user's roles, but the ID token may not be the best place for this.

Access Tokens

Use Access Tokens when:

  • An application needs to access a "resource" on the user's behalf

For example, you might grant a drawing application access to your google drive so it can save images (😬). In this case he "resource" is google drive. Other resources might be your calendar, your gmail, a slack channel, an ecommerce order, your account information, etc.

This could be on the server side,

Or it might be a single-page application (SPA) or mobile app calling services directly

The Userinfo Service

If you find yourself wanting to read user information from an access token directly by decoding it, you're probably misusing it. We treat them as opaque tokens.

However, there is an endpoint in most Authorization servers that will offer up information about a user. It is just another resource, so your application can access it on behalf of the user. Typically it is at /userinfo. For example, in an Auth0 tenant https://dev-nnnnnnnn.us.auth0.com/userinfo is the userinfo service, and it can be called by passing an access token in the Authorization header, e.g.

Auth0 responds with something like this, which you'll notice bears some similarity to the ID Token above.

About Me

Tom McLaughlin is a Software Developer residing in Nebraska, where he is safe from shark attacks, but Potato Oles lurk around every corner. You can find him on LinkedIn and Github.