Why You Should Use Access Tokens to Secure an API

Too many people don’t know the difference between OpenID Connect and the OAuth 2.0 specifications. This results in devs publishing insecure apps because they’re using an ID token to secure the API where they should be using an access token. Maria Paktiti at AuthO.com explains to you the difference and why should always use access tokens for securing your API and not id tokens.

First off, the difference between OpenID and OAuth is: OAuth lets you authorize an app to access your information from another app without sharing creds, while OpenID lets you verify your identity and share some profile info with an app, again, without sharing creds. In short, OpenID is about who you are, OAuth is about what you are allowed to do.

OpenID Connect issues an id token while OAuth 2.0 issues an access token. The id token is a JWT and is meant for the API client. So, for example, Google could send your app an id token for a particular user, which you can then decode to get some basic user information. The access token on the other hand is any token for the API that authorizes the token bearer to access the API and do certain things. In the Google example, you could grant a web app access to your calendar. They can then use the token in their requests to make changes to your calendar.

It’s important to keep in mind what the different tokens can and can’t be used for. The access token is for authentication and contains no information about the user. The id token is the exact opposite: it contains information about the user but should never be used for authentication. If the client_id of the client making an authentication request isn’t the same as that in the id_token then the token shouldn’t be trusted.

To repeat, the id token is only meant for authenticating users to the client while the access token is for authorizing the user to use the API. The access token as a result has no interesting content for clients and should not be decoded. 

Original Article

Why You Should Always Use Access Tokens to Secure an API

Seamus Holland

Comments

Comments(1)

bovaa

"The access token is for authentication and contains no information about the user. The id token is the exact opposite: it contains information about the user but should never be used for authentication."

I believe you have a typo in there.