Programster's Blog

Tutorials focusing on Linux, programming, and open-source

OpenID Connect (OIDC) Token Types

The OpenID Connect specification has several different tokens that serve different purposes, as outlined below:

ID Tokens

  • These are returned as id_token in a response to the /token endpoint.
  • These are always JWT tokens, meaning that they have user information within encoded into the token, and that the token can be verified to check that it hasn't be tampered with.
  • These should never be sent to an API (this is what the access token is for).

Access Tokens

  • These are returned as access_token in responses.
  • These are bearer tokens that grant authorization as the user and thus should be kept secret.
  • Short-lived, but replacements can be created through the refresh token.
  • Can be used against /userinfo spec endpoint in order to retrieve information about the user.

Refresh Token

  • Used to obtain new access tokens.
  • Long-lived, but when expires, user must authenticate again.
  • Another bearer token
  • These should never be read by the client.

References

Last updated: 19th December 2022
First published: 18th November 2021

This blog is created by Stuart Page

I'm a freelance web developer and technology consultant based in Surrey, UK, with over 10 years experience in web development, DevOps, Linux Administration, and IT solutions.

Need support with your infrastructure or web services?

Get in touch