Table of Contents
3 minutes read
Table of Contents
Welcome to an informative exploration into OpenID Connect (OIDC) territory, focusing on three key components that underpin its operation: the ID Token, Access Token, and Refresh Token. These tokens are fundamental to fully leverage OIDC’s secure user authentication and streamlined access to resources.
OpenID Connect (OIDC) – A Brief Overview
OpenID Connect (OIDC) serves as an identity layer built on the tried and tested OAuth 2.0 protocol. It assists clients to verify end-user identity authenticated by an authorization server while obtaining basic profile information of the end-user in an interoperable and REST-like manner.
Delving into the Tokens of OIDC
OIDC employs the use of three crucial types of tokens — ID Token, Access Token, and Refresh Token. Let’s take a closer look at each of these to comprehend their roles in the authentication schema.
ID Token
An ID Token acts as a trusted entity asserting user identity. Consider it as the digitized equivalent of an identity document. Taking the example of an ID token issued by a popular identity provider, Microsoft Entra ID (Azure Active Directory):
{ "iss": "https://login.microsoftonline.com/{tenantid}/v2.0", "sub": "abcdefghijklmnoprstuvwxyz", "aud": "99887766554433221100", "nonce": "12345", "exp": 1492816484, "iat": 1492812884, "auth_time": 1492812884}
Here, ‘iss’ (issuer) represents the identity provider, ‘sub’ (subject) is the ID of the user, ‘aud’ (audience) verifies the token’s intended recipient, and timestamps like ‘exp’ (expiration time), ‘iat’ (issued at), and ‘auth_time’ provide information about the token’s issuance and lifespan.
Access Token
An Access Token adopts the role of a gate pass, granting access to secured resources. To demonstrate, here is an example of an access token, again fromMicrosoft Entra ID:
{ "iss": "https://login.microsoftonline.com/{tenantid}/v2.0", "aud": "https://graph.microsoft.com", "sub": "abcdefghijklmnoprstuvwxyz", "exp": 1492816484, "app_displayname": "My Cool App", "appid": "99887766554433221100", "scope": "User.ReadWrite.All"}
In this access token, ‘iss’ represents the identity provider, ‘aud’ verifies that the API being called by your app is the intended recipient, ‘sub’ is the user, ‘appid’ is your application’s client ID, and ‘scope’ describes the level of access granted.
Refresh Token
Finally, we come to the Refresh Token. This serves to request new access tokens without needing the user to re-authenticate, thereby providing a seamless user experience. Although it doesn’t contain encoded data like the other tokens, it serves as a crucial reference for the identity provider to issue new access tokens. Here’s an example of a refresh token from Microsoft Entra ID:
OAQABAAAAAABnfiG-mA6NTae7CdWW7Qfdx-mU4mM9RiTII2ZYA_G9K9_xxxxxxxxxxxxxxxxxx
Conclusion
ID Tokens, Access Tokens, and Refresh Tokens together enhance both security and user experiences in OIDC-enabled applications. While the ID Token confirms the user’s identity, the Access Token governs access to server-protected resources, and the Refresh Token circumvents repeated manual user re-authentication. Each token does its part to convene a comprehensive authentication and authorization protocol able to secure and simplify user interactions in our increasingly digital world.
You might also like
Datawiza is Easy to Get Started
Sign up to enjoy the cloud-delivered Access Management as a Service (AMaaS)
Schedule a Demo
Sign up for the latest news and tips
- 1608 W. Campbell Ave, Suite 359,
Campbell, CA 95008, USA - +1 (540) 912-8886
- General inquiries: info@datawiza.com
- Technical support: support@datawiza.com
© 2024 Datawiza. All Rights Reserved