An Identity Token Can Authenticate a User by Using:
"Let's use a token to secure this API phone call. Should I use the ID token or the access token? ๐ค The ID token looks nicer to me. Later on all, if I know who the user is, I tin make meliorate authorization decisions, correct?"
Have you lot ever constitute yourself making similar arguments? Choices based on your intuition may sound practiced, only what looks intuitive is not e'er correct. In the example of ID and access tokens, they have articulate and well-defined purposes, then you should use them based on that. Using the wrong token tin can outcome in your solution being insecure.
"What changes after all? They are simply tokens. I can use them as I come across fit. What'southward the worst that could happen?"
Allow'south take a closer look at these two types of tokens to better understand their function in authentication and authorization processes.
If y'all prefer, you can also watch this video on the same topic:
What Is an ID Token?
An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open standard for hallmark used past many identity providers such every bit Google, Facebook, and, of form, Auth0. Cheque out this document for more details on OpenID Connect. Let's take a quick look at the problem OIDC wants to resolve.
Consider the post-obit diagram:
Here, a user with their browser authenticates against an OpenID provider and gets access to a web application. The result of that authentication procedure based on OpenID Connect is the ID token, which is passed to the application equally proof that the user has been authenticated.
This provides a very basic thought of what an ID token is: proof of the user's authentication. Allow's encounter some other details.
An ID token is encoded as a JSON Web Token (JWT), a standard format that allows your awarding to hands inspect its content, and brand sure information technology comes from the expected issuer and that no one else changed it. If you want to learn more about JWTs, check out The JWT Handbook.
To put information technology but, an example of ID token looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.bql-jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw Of form, this isn't readable to the human eye, and so you lot have to decode it to come across what content the JWT holds. By the way, the ID token is not encrypted but just Base 64 encoded. Yous can utilise one of the many available libraries to decode it, or you can examine it yourself with the jwt.io debugger.
Without going deeper into the details, the relevant information carried by the ID token above looks like the following:
{ "iss" : "http://my-domain.auth0.com" , "sub" : "auth0|123456" , "aud" : "1234abcdef" , "exp" : 1311281970 , "iat" : 1311280970 , "proper noun" : "Jane Doe" , "given_name" : "Jane" , "family_name" : "Doe" } These JSON properties are chosen claims, and they are declarations near the user and the token itself. The claims about the user define the user's identity.
Actually, the OpenID Connect specifications don't require the ID token to have user's claims. In its minimal structure, it has no information about the user; just info about the authentication operation.
One important claim is the aud claim. This merits defines the audience of the token, i.eastward., the web application that is meant to be the final recipient of the token. In the case of the ID token, its value is the client ID of the application that should swallow the token.
Remember this small particular about the audience claim because it will help you better understand what its correct use is after on.
The ID token may have additional data about the user, such as their email address, moving picture, birthday, and so on.
Finally, mayhap the most important thing: the ID token is signed by the issuer with its private cardinal. This guarantees you the origin of the token and ensures that it has not been tampered with. You can verify these things past using the issuer's public key.
Cool! Now y'all know what an ID token is. But what can you practise with an ID token?
Starting time, it demonstrates that the user has been authenticated past an entity you lot trust (the OpenID provider) and and then yous can trust the claims nigh their identity.
Also, your application can personalize the user's feel past using the claims about the user that are included in the ID token. For example, you can show their name on the UI, or display a "best wishes" message on their altogether. The fun part is that you don't need to make boosted requests, so you lot may become a little gain in functioning for your application.
What Is an Access Token?
At present that you know what an ID token is, let's try to empathize what an access token is.
Allow's start by depicting the scenario where the access token fits:
In the diagram in a higher place, a client application wants to access a resource, e.g., an API or anything else which is protected from unauthorized admission. The other ii elements in that diagram are the user, which is the owner of the resources, and the authorization server. In this scenario, the access token is the artifact that allows the customer application to access the user's resource. It is issued past the authorization server after successfully authenticating the user and obtaining their consent.
In the OAuth 2 context, the admission token allows a customer awarding to access a specific resource to perform specific actions on behalf of the user. That is what is known every bit a delegated authorization scenario: the user delegates a client application to access a resource on their behalf. That ways, for example, that you tin can qualify your LinkedIn app to access Twitter's API on your behalf to cross-postal service on both social platforms. Keep in listen that you lot merely authorize LinkedIn to publish your posts on Twitter. Y'all don't authorize it to delete them or change your profile's information or exercise other things, too. This limitation is very important in a delegated authorization scenario and is achieved through scopes. Scopes are a mechanism that allows the user to authorize a tertiary-party awarding to perform only specific operations.
Of grade, the API receiving the access token must be certain that information technology actually is a valid token issued by the say-so server that it trusts and make authorization decisions based on the information associated with information technology. In other words, the API needs to somehow use that token in gild to authorize the client application to perform the desired performance on the resource.
How the access token should be used in gild to make authorisation decisions depends on many factors: the overall system architecture, the token format, etc. For example, an access token could be a key that allows the API to recall the needed information from a database shared with the authorization server, or it can straight incorporate the needed information in an encoded format. This ways that agreement how to retrieve the needed data to brand authorization decisions is an understanding between the say-so server and the resource server, i.e., the API.
OAuth 2 cadre specifications say zilch nearly the access token format. It can exist a string in any format. A common format used for admission tokens is JWT, and a standard construction is available. However, this doesn't mean that access tokens should exist in that format.
Alright! Now you know what an ID token and an access token are. ๐ So y'all are ready to apply them without any fear of making mistakes. But, await. I practice non see you lot convinced. ๐ค Maybe you need some other information. Ok. And then, let'southward see what these tokens are not suitable for.
What Is an ID Token NOT Suitable For?
I of the most common mistakes developers make with an ID token is using it to phone call an API.
Every bit said to a higher place, an ID token proves that a user has been authenticated. In a first-party scenario, i.eastward. in a scenario where the client and the API are both controlled by y'all, you may decide that your ID token is skillful to brand authorization decisions: maybe all y'all need to know is the user identity.
All the same, fifty-fifty in this scenario, the security of your awarding, consisting of the client and the API, may exist at risk. In fact, in that location is no mechanism that ties the ID token to the client-API channel. If an attacker manages to steal your ID token, they can employ it to call your API like a legitimate client.
For the access token, on the other hand, there is a ready of techniques, collectively known as sender constraint, that allow you lot to bind an access token to a specific sender. This guarantees that even if an aggressor steals an access token, they tin't utilise it to access your API since the token is bound to the client that originally requested it.
In a delegated authorization scenario where a third-party client wants to telephone call your API, you must non apply an ID token to phone call the API. In addition to the lack of mechanisms to bind information technology to the customer, at that place are several other reasons not to do this.
If your API accepts an ID token as an potency token, to begin with, you are ignoring the intended recipient stated by the audience claim. That claim says that it is meant for your client application, non for the resource server (i.e., the API).
You lot may think this is just a formality, merely there are security implications here.
Outset of all, among other validation checks, your API shouldn't accept a token that is not meant for information technology. If information technology does, its security is at risk. In fact, if your API doesn't care if a token is meant for it, an ID token stolen from any client awarding can exist used to access your API. Of course, checking the audience is just one of the checks that your API should do to preclude unauthorized access.
In addition, your ID token will not have granted scopes (I know, this is another pain point). As said before, scopes allow the user to restrict the operations your client application tin do on their behalf. Those scopes are associated with the access token so that your API knows what the client application can do and what information technology can't exercise. If your client application uses an ID token to call the API, yous ignore this feature and potentially let the application to perform actions that the user has not authorized.
What Is an Access Token NOT Suitable For?
On the access token side, it was conceived to demonstrate that you are authorized to access a resource, e.k., to call an API.
Your client application should use information technology only for this reason. In other words, the admission token should not exist inspected by the client application. It is intended for the resource server, and your customer application should treat admission tokens equally opaque strings, that is, strings with no specific meaning. Even if you know the access token format, you shouldn't try to interpret its content in your client application. As said, the access token format is an agreement betwixt the authorization server and the resource server, and the client application should non intrude. Think of what can happen if ane day the access token format changes. If your client code was inspecting that access token, at present it volition break unexpectedly.
A Quick Recap
The confusion over the use of ID and admission tokens is very common, and it can exist hard to wrap your caput around the differences. Maybe it mostly derives from not having a articulate understanding of the different goals of each artifact as defined past the OAuth and OpenID Connect specifications. Besides, agreement the scenarios where those artifacts were originally meant to operate has an important part in preventing confusion on their use. All the same, I promise this topic is a piffling more clear at present.
To recap, here is a quick summary of what you learned about what yous can and can't do with ID and access tokens:
If you desire to see ID and admission tokens in action, sign upward for a free Auth0 business relationship and beginning to add hallmark and potency to your applications in minutes with your preferred programming language and framework.
Source: https://auth0.com/blog/id-token-access-token-what-is-the-difference/
0 Response to "An Identity Token Can Authenticate a User by Using:"
Post a Comment