Authing DocsDocuments
Concept
Guides
Development Integration
Application integration
Concept
Guides
Development Integration
Application integration
Old Version
Concept
  • What is Authing
  • What is the user pool
  • What is an application
  • What is certification
  • What is federal certification
  • What is authorization
  • Authentication vs authorization
  • What is JWT Token
  • What is ID Token
  • What is Access Token
  • What is Refresh Token
  • Access Token vs Id Token
  • OIDC FAQ
  • Understand the SAML2 protocol

  • Understand OIDC and OAuth2.0 protocol

  • What is multi-factor authentication
  • Account Lifecycle Management
  • Hosted login page vs embeddable login component
  • CIAM and EIAM
  • What is LDAP
  • Principle of Scan Code Login

¶ Access Token VS ID Token

Update Time: 2022-06-19 15:23:15
Edit

There are two types of Token related to identity accesss: Access Token and ID Token.

¶ Access Token

Access Token can be JWT (opens new window) format or a random string. It is required when calling protected API. API check scope in Access Token before grant access to resource. For example: User login to an application via Google. Google will return Access Token to the application. When the user wants sync data with Google Calendar, Application need to present Access Token for Google Calendar API to request resource.

Never use Access Token as identifier. Access Token itself can not ensure the user is Authenticated.

The only user identity information stored in Access Token is userid in sub claim. During your application development, Access Token should be treated as a Random String, no information stored.

Access Token Example:

{
  "jti": "YEeiX17iDgNwHGmAapjSQ",
  "sub": "601ad46d0a3d171f611164ce",
  "iat": 1612415013,
  "exp": 1613624613,
  "scope": "openid profile offline_access",
  "iss": "https://yelexin-test1.authing.cn/oidc",
  "aud": "601ad382d02a2ba94cf996c4"
}

Be Aware: Access Token do not contain any other user information except userid. The scope claim is using to access protected API. In that case, Access Token are used for API access rather than user identification.

In particular scenario, developer can use Access Token to retrieve user information by access User Information Endpoint from Authing.

¶ ID Token

ID token is JWT (opens new window) format. It is used for identification process. For exapmle: Application allow Login via Google and sync user information with Google Calendar. Google will return ID Token to the application, which contains basic user information (Username, Icon, etc.). Application can decrypt ID Token and read user information.

Request will be rejected if ID Token is not valid. How to verify。

Use ID Token for API access is NOT recommended. aud (audience) in ID Token is the application ID which requests authentication process.

ID Token Example:

{
  "sub": "601ad46d0a3d171f611164ce",
  "birthdate": null,
  "family_name": null,
  "gender": "U",
  "given_name": null,
  "locale": null,
  "middle_name": null,
  "name": null,
  "nickname": null,
  "picture": "https://files.authing.co/authing-console/default-user-avatar.png",
  "preferred_username": null,
  "profile": null,
  "updated_at": "2021-02-04T05:02:25.932Z",
  "website": null,
  "zoneinfo": null,
  "at_hash": "xnpHKuO1peDcJzbB8xBe4w",
  "aud": "601ad382d02a2ba94cf996c4",
  "exp": 1613624613,
  "iat": 1612415013,
  "iss": "https://oidc1.authing.cn/oidc"
}
Prev: What is Refresh Token Next: OIDC FAQ
  • Access Token
  • ID Token

User identity management

Integrated third-party login
Mobile phone number flash check (opens new window)
Universal login form component
Custom authentication process

Enterprise internal management

Single Sign On
Multi-factor Authentication
Authority Management

Developers

Development Document
Framework Integration
Blog (opens new window)
GitHub (opens new window)
Community User Center (opens new window)

Company

400 888 2106
sales@authing.cn
16 / F, Block B, NORTH STAR CENTURY CENTER, Beijing(Total)
room 406, 4th floor, zone B, building 1, No. 200, Tianfu Fifth Street, Chengdu(branch)

Beijing ICP No.19051205-1

© Beijing Steamory Technology Co.