Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Should API consumer send id_token or access_token for openIDConnect security scheme

See original GitHub issue

With the addition of the openIdConnect security scheme object type in v3, I find the spec ambiguous on whether the API consumer should be sending an id_token or an access token to the API.

From my understanding, this may not have been an issue in v2 since there was only oauth2 instead of oauth2 and openIdConnect. Since OpenIDConnect flows can provide both id tokens and access tokens, which token type should be sent to the API? Does specifying an auth type of openIdConnect imply that an id_token should be used, while oauth2 implies that an access_token should be used? If so, I think this information should be explicit in the spec instead of implied. If not, could you comment on whether or not consumers should always be sending an access_token for both oauth2 and openIdConnect security scheme types?

Issue Analytics

  • State:open
  • Created 5 years ago
  • Reactions:1
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

lkgarrisoncommented, Feb 22, 2019

Thanks for the detailed reply Phil. It would be great to see this guidance appear within the spec itself to help eliminate confusion for API consumers.

pleothaudcommented, Feb 14, 2019

Hi there,

The problem is complex (is the OpenID Connect Provider also an OAuth Authorization Server for the API? Are the access token opaque tokens or JWTs? etc), but in short id_tokens are JWTs intended for Client Applications use, not for Resource Server (API) use.

id_tokens are there so that the Client Application can authenticate the end-user, they contain potentially sensitive information about the end-user that you as the Client Application developer/owner might not be allowed to transmit to the Resource Server (the API).

So don’t send id_tokens but access_tokens to the API. The API can then invoke the token introspection endpoint to get information about the end-user and the scopes the client application requested.

Hope it helps,


Read more comments on GitHub >

github_iconTop Results From Across the Web

Why You Should Always Use Access Tokens to Secure an API
We explain the difference between access token and ID token and why the latter should never be used to secure an API.
Read more >
OpenID Connect - should the id token be sent to the protected ...
The OIDC Specification is designed in a way that ID tokens are always for Clients (Native app) and Access tokens are for resources...
Read more >
Understand your API security need: OAuth or OpenID Connect?
Client requests for the access token by sending its client id/secret to the authorization server and once the access token is issued, the...
Read more >
ID Tokens vs Access Tokens - OAuth
Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and...
Read more >
OpenID Connect explained | Connect2id
Easy to consume identity tokens: Clients receive the user's identity encoded in a secure JSON Web Token (JWT), called an ID token. JWTs...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found