What is the difference between id_token and access_token in Auth0

Asked 18/7, 2015 at 20:0 Answered 8/1, 2020 at 13:26

In Auth0 you can use refresh tokens. In this link, we can see many returned parameters:

lock.showSignin({
  authParams: {
    scope: 'openid offline_access'
  }
}, function (err, profile, id_token, access_token, state, refresh_token) {
  // store refresh_token
});

Apparently, access_tokens can be used to retrieve user profile data. But this appears to be specific to oauth, and I thought auth0 uses openid?

What is the difference between id_token and access_token?

Haworth answered 18/7, 2015 at 20:0 Comment(1)

Auth0 documentation has a good overview of their (many) tokens auth0.com/docs/tokens – Haerle 14/4, 2016 at 0:27

OpenID Connect is built on top of OAuth2.

An access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.
An id_token is a JWT and represents the logged in user. It is often used by your app.
A refresh_token (only to be used by a mobile/desktop app) doesn't expire (but is revokable) and it allows you to obtain freshly minted access_tokens and id_token.

Napoli answered 18/7, 2015 at 21:3 Comment(3)

A refresh_token (only to be used by a mobile/desktop app) Can you explain? It appears others prescribe using refresh tokens even with web apps: #26739667. – Haworth 19/7, 2015 at 6:52

According to Auth2.0, A refresh token does have expiration but it lives way longer than the security_token. (That might not be true in OpenId). Also a refresh token is optional and it is up to the STS to send it or not. However, in implicit grant it is definitely not sent because it will be risky, but in authorization Code grant it is optional. – Birdbath 23/2, 2018 at 0:53

In addition, access_token can be a jwt as well. May contain scopes too! For more details see: mannharleen.github.io/2020-03-11-id-access-tokens – Marcionism 11/3, 2020 at 13:28

The resource server (your server-side application) accept only the access token from a client. This is because access tokens are intended for authorizing access to a resource. ID Tokens, on the other hand, are intended for authentication. This granted by the OpenID Provider that contains information about an End-User. source

Access tokens are the thing that applications use to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data. Access tokens must be kept confidential.

The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it. Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token. source

The lifetime of a refresh token is up to the (AS) authorization server — they can expire, be revoked, etc. The difference between a refresh token and an access token is the audience: the refresh token only goes back to the authorization server, the access token goes to the (RS) resource server. source

Munition answered 8/1, 2020 at 13:26 Comment(1)

Like your answer. We are using Google's Authentication and ID Token. Because ID Token expires in 60 minutes, it will be cumbersome to have users log in every hour. But they don't provide auto-refresh. Any suggestion? – Halfblood 14/6, 2021 at 23:6

Recommended topics

Hot tags