Programster's Blog

Tutorials focusing on Linux, programming, and open-source

OpenID Connect (OIDC) Token Types

The OpenID Connect specification has several different tokens that serve different purposes, as outlined below:

ID Tokens

  • These are returned as id_token in a response to the /token endpoint.
  • These are always JWT tokens, meaning that they have user information within encoded into the token, and that the token can be verified to check that it hasn't be tampered with.

Access Tokens

  • These are retuned as access_token in responses.
  • These are bearer tokens that grant authorization as the user and thus should be kept secret.
  • Short-lived, but replacements can be created through the refresh token.
  • Can be used against /userinfo spec endpoint in order to retrieve information about the user.

Refresh Token

  • Used to obtain new access tokens.
  • Long-lived, but when expires, user must authenticate again.
  • Another bearer token

References

Last updated: 18th November 2021
First published: 18th November 2021