Id Tokens vs Access Tokens: A Simple Guide with Examples

Authentication and authorization can be complex topics, but they’re crucial for securing your applications. In this blog post, we’ll understand two key components: ID tokens and access tokens. These concepts are central to OpenID Connect (OIDC) and OAuth 2.0, standards used by identity providers like Google, Facebook, and Auth0. Let’s break down what these tokens are, how they work, and provide some simple examples to illustrate their roles.

What is an ID Token?

An ID token is a piece of data that proves a user has been authenticated. Introduced by OpenID Connect (OIDC), ID tokens are used by many identity providers. Here’s a quick rundown:

• Purpose: Proves user authentication.
• Format: Encoded as a JSON Web Token (JWT).
• Content: Contains claims about the user and the authentication process.

Let’s see how this works with an example. Imagine you’re logging into a web application using Google. After you successfully log in, Google sends an ID token to the application. This token confirms your identity and contains information like your name and email.

Here’s a sample ID token (in JWT format):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.bql-jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw

This token isn’t readable directly, but you can decode it using tools like jwt.io. Here’s what the decoded content might look like:

{
  "iss": "http://my-domain.auth0.com",
  "sub": "auth0|123456",
  "aud": "1234abcdef",
  "exp": 1311281970,
  "iat": 1311280970,
  "name": "Jane Doe",
  "given_name": "Jane",
  "family_name": "Doe"
}

These fields (called claims) include:

• iss: Issuer (who issued the token)
• sub: Subject (user identifier)
• aud: Audience (intended recipient)
• exp: Expiry time
• iat: Issued at time
• name: User’s full name

What is an Access Token?

An access token is a credential that allows a client application to access a user’s resources. In the OAuth 2.0 context, access tokens are used for delegated authorization. Here’s a summary:

• Purpose: Allows access to user resources.
• Format: Can be any string, often a JWT.
• Content: Contains permissions (scopes) and other data needed for authorization.

For example, suppose you want to use a third-party app to post on Twitter on your behalf. When you authorize the app, it receives an access token from Twitter. This token allows the app to post tweets but not delete them or change your profile.

Here’s how the process works:

1. User: Authorizes the app.
2. App: Receives an access token.
3. App: Uses the token to access the Twitter API and post tweets.

The access token contains permissions that define what the app can do. For example, it might allow posting tweets but not deleting them.

Here’s a sample ID token (in JWT format):

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This token isn’t readable directly, but you can decode it using tools like jwt.io. Here’s what the decoded content might look like:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622,
  "scope": "read:user"
}

These fields (called claims) include:

• sub: Subject (the user identifier)
• name: The user’s name
• iat: Issued at time
• exp: Expiry time
• scope: Permissions granted (in this case, read:user which allows reading user profile data)

Key Differences

• ID Token: Used for authentication. It proves who the user is.
• Access Token: Used for authorization. Grants permission to access resources.

Here’s a simplified diagram:

Conclusion

Understanding the difference between ID tokens and access tokens is essential for implementing secure authentication and authorization in your applications. ID tokens confirm the user’s identity, while access tokens grant permission to access resources on behalf of the user.

Using these tokens correctly can enhance your application’s security and provide a better user experience. Remember, ID tokens are all about who the user is, and access tokens are about what the app can do on behalf of the user.

For more updates and insights, and to connect with me, feel free to follow me on LinkedIn:

🔗 [Connect on LinkedIn]

Let’s stay connected and continue the conversation!