OpenID Connect (OIDC) Token Types
The OpenID Connect specification has several different tokens that serve different purposes, as outlined below:
ID Tokens
- These are returned as
id_token
in a response to the/token
endpoint. - These are always JWT tokens, meaning that they have user information within encoded into the token, and that the token can be verified to check that it hasn't be tampered with.
- These should never be sent to an API (this is what the access token is for).
Access Tokens
- These are returned as
access_token
in responses. - These are bearer tokens that grant authorization as the user and thus should be kept secret.
- Short-lived, but replacements can be created through the refresh token.
- Can be used against
/userinfo
spec endpoint in order to retrieve information about the user.
Refresh Token
- Used to obtain new access tokens.
- Long-lived, but when expires, user must authenticate again.
- Another bearer token
- These should never be read by the client.
References
- Okta.com - Identity, Claims, & Tokens – An OpenID Connect Primer, Part 1 of 3 - All About Tokens
- OAuth 2.0 Spec
- oauth.net - ID Tokens vs Access Tokens
Last updated: 19th December 2022
First published: 18th November 2021
First published: 18th November 2021