ID Tokens VS Access Tokens: What's the Difference?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

ID token access token ID token access token what's the difference [Applause] [Music] [Applause] [Music] all right maybe the difference between ID tokens and access tokens is not quite that dramatic and stressful but you probably do have questions maybe you've worked on applications where you're building authentication or incorporating authentication with a third-party platform and you've heard these terms ID tokens and access tokens and you're not exactly sure what they are and most importantly how they are to be used and most more importantly how they're not to be used so let's talk about all that in this video today there's also a cheat sheet that will break down the difference between ID tokens and access tokens to recap all the things that we say in the associated blog post you can find that and download it for free with the link in the description below to the blog post that said let's go ahead and dive into the difference between ID tokens and access tokens alright for ID tokens let's start by talking about open ID connect openid connect is an open standard for decentralized authentication the good thing is this is used by many or all of the most popular identity providers out there things like Google and Facebook and Twitter so this is basically a workflow for a user to authenticate themselves and the output of this what openid connect provides as an output artifact is an ID token that proves the user has been authenticated now for ID tokens these are specifically encoded as a JWT or Json web token also referred to as jots although I still don't quite get that so I'm going to use JWT in here to refer to Json web tokens so ID tokens are required to be in the format of a JWT and jwts typically consist of three parts they've got the header the payload or the body and then the signature for reference if you ever have a Json web token and you want to see the information that's inside of it you can head on over to jwtio to decode that information and see all the stuff that's right there now inside of the payload or the body with the Json web token you'll have several different claims or pieces of information you might have a sub property which is the unique identifier for a user you might have an audience which is basically who the intended receiver is to use this ID token this will be important we'll come back to this in a second you might have the issuer the identity provider who created the token and you might have the name or other pieces of information about the user themselves now I mentioned this audience property would become important with ID tokens and here in a second with access tokens so the audience property is defining which application is meant to be the final recipient of an ID token in most cases that's going to be like a client application because we might do things like this inside of an application you log in you then get redirected back to your application and after you've completed the login in the top right corner you might see your username and your profile image or something like that with a drop down button and it's got log out and settings and dashboard and things like that so that ID token is being used to grab that information about the user like their name and their profile image so who is the intended final recipient of this ID token was the application that the user is currently logged into and that ID token can be used to display their information on the app now let's transition over to access tokens access tokens are specifically designed to allow you access to a resource a resource could be a file it could be a database or most likely it could be an API that you can call to do crud operations on some sort of data now where do access tokens come from ID tokens came from openid connect access tokens in this case come from oauth 2. oauth2 is designed to allow an application to access specific resources on behalf of a user so let's talk about an example here let's say you log into your LinkedIn app and you start to post on LinkedIn frequently and you realize hey I might as well cross post these things to Twitter so that I get that much more exposure for the content that I'm creating well maybe LinkedIn could add some sort of ability to do that for you so the way this will work is LinkedIn would redirect you over to Twitter you would authenticate against Twitter and in addition to regular authentication you will also Grant access to certain Scopes or things that the original application LinkedIn can do on your behalf with the resource server which in this case is Twitter the resources are reading your tweets posting to your timeline things like that so you'll have to Grant access to those certain Scopes and embedded in that response is the access token that has the authorization to do those very specific things now unlike ID tokens access tokens don't have a specific required format they can basically be in any string format but you will often see them in the format of jwts Json web tokens the same way you will for IED tokens although it's not a requirement now one thing to note is there's currently a specification being worked on and formalized now that will Define how to structure your access tokens as Json web tokens but we're not quite there yet so in this case access tokens can basically be any format of string oftentimes you will see them in the format of Json web tokens and that's what we use at all zero when you're making calls to a specific API so let's go back to this idea of audience or who is the intended receiver of a token for the ID token we said it was the application that the user is logged into and we use that to display information about the user on the page and do a few other things access tokens are a little bit different access tokens are meant to be sent to a resource server to access some sort of API or data or something like that which means if I'm inside of LinkedIn and I do that redirect over to Twitter let the user log in and Grant access to those Scopes and redirect user back to LinkedIn and then want to make a call to Twitter Twitter as the resource server is the final intended recipient of this access token so that is where that access token is supposed to be used all right so let's take a little bit of time to recap this first by starting with what these different types of tokens are not intended for ID tokens are not meant for authorization they are strictly for verifying that a user has logged in or authenticated themselves which means they should not be sent to an API remember the audience claimed that audience claim is the application that the user is logged into not a separate API that we will send a token to so we do not send ID tokens to separate apis ID tokens also do not have any authorization information included inside of them so they would basically be useless to send to an API anyway so we don't send ID tokens to apis and we don't use them for any sort of authorization on the flip side access tokens are not used for authentication the interesting thing about this is that based on an access token you can't actually make any assumption about the user's Identity or the fact that they're logged in or not think about it if you log into an application if I logged into LinkedIn I go to Twitter I do the redirect I get the access token and then I log out of Twitter that access token is still valid and still can be used so the access token itself doesn't actually guarantee me that a user is logged in at all so let's do the whole recap here ID tokens are required to be in the format of a JWT or a Json web token they are the output of a workflow called openid connect and they are strictly for Authentication access tokens on the other hand do not have a required format although there is a specification in the works for formatting them as jwts Json web tokens but access tokens are specifically used for delegated authorization and access not for Authentication so oftentimes you'll see that these access tokens are sent to an API of some sort and embedded in that token is some sort of information that expresses its ability to do certain things if you're looking for a quick recap of this and a really nice cheat sheet again you can get that for free and the link below in the associated blog post with this video we hope you enjoyed it if you have any other questions let us know in the comments below thanks for watching and we'll catch you next time [Music]

Info

Channel: OktaDev

Views: 92,313

Rating: undefined out of 5

Keywords: id tokens, access tokens, id tokens vs access tokens, oauth2, openid connect, openid connect vs oauth2, openid connect tutorial, openid and oauth 2.0, identity, security, how to use an access token, where do I get an accesss token, where do I get an id token, json web token, json web token authentication, secure applications, jwt token tutorial, authentication vs authorization, auth0, okta, james quick, developer, authorization, basics, login, for dummies, what is a token, okta dev

Id: vVM1Tpu9QB4

Channel Id: undefined

Length: 8min 38sec (518 seconds)

Published: Mon Jan 09 2023