ID Token and Access Token: What’s the Difference?

TABLE OF CONTENTS

  • What Is an ID Token?
  • What Is an Access Token?
  • What Is an ID Token NOT Suitable For?
  • What Is an Access Token NOT Suitable For?
  • A Quick Recap
Have you ever made similar arguments? Choosing based on your intuition may sound good, but what seems intuitive isn't always right. In the case of ID and access tokens, they have clear and well-defined purposes, so you should use them accordingly. Using the wrong token could make your solution insecure.

“What changes in the end? These are just tokens. I can use them as I please. What's the worst that can happen?"

Let's take a closer look at these two types of tokens to better understand their role in the authentication and authorization processes.

What Is an ID Token?

An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook etc.
Let’s take a quick look at the problem OIDC wants to resolve.

Consider the following diagram:

Here, a user with their browser authenticates against an OpenID provider and gets access to a web application. The result of that authentication process based on OpenID Connect is the ID token, which is passed to the application as proof that the user has been authenticated.

This provides a very basic idea of what an ID token is: proof of the user’s authentication. Let’s see some other details.
An ID token is encoded as a JSON Web Token (JWT), a standard format that allows your application to easily inspect its content, and make sure it comes from the expected issuer and that no one else changed it. If you want to learn more about JWTs, check out The JWT Handbook.

To put it simply, an example of ID token looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.bql-jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw

Of course, this isn’t readable to the human eye, so you have to decode it to see what content the JWT holds. By the way, the ID token is not encrypted but just Base 64 encoded. You can use one of the many available libraries to decode it, or you can examine it yourself with the jwt.io debugger.

{
"iss": "http://my-domain.hamrosaathi.com",
"sub": "hamrosaathi|123456",
"aud": "1234abcdef",
"exp": 1311281970,
"iat": 1311280970,
"name": "Bikky Singh",
"given_name": "Bikky",
"family_name": "Singh"
}

Related Post

The James Webb Telescope: A New Era of Space

1. The James Webb Telescope: A New Era of Space Explora...

The Era of AI vs Human Intelligence: Who Will

The 21st century has seen an explosion in technological...

Google Code Red: The Ultimate Guide to Google

The Google Code Red is the code name for a major initia...

Leave a Comment

Share via

You cannot copy content of this page