ID Tokens VS Access Tokens: What's the Difference? 

I was dumbly sweating off for 2 days trying to get user information from an "access token" but then I saw this video. The clear difference you explained makes so much sense. Thank you for developing this content, auth0.

Great video! I especially enjoyed the illustrations created!

the differences were explained very nicely!

Super informative and concise. Excellent! MM

@OktaDev 1:42 "JAWT" is a shortened form of "JAson Web Token"

wow that was a super delicious explanation!! Loved it!!

Thanks James. Great content as usual. I am a big fan.

Thank you James! I have some questions What is the use case to have a decentralized authentication or is it preferable ? And for the OAuth protocol I think the use case for the apps that allows integrations and exposes the API to the public ? Or the use case can be suitable for a single app that have micro-services, and multiple clients like web, mobile apps ?

You have made it to the point! This is an amazingly easly understandable content in the bushes of misinformation on the internet on that subject! You are explaing here much more than just a difference between the tokens! Well done!

Great video. Very clear. Thank you!

Great video compact and informative

That was very nicely explained. Thank you!

Thanks for a simple and clear explaination

This video is a gem. Thank you so much! 💎

Fantastic video. Very thorough and at the same time concise.

Nice one 🎉 informative and helpful 👍

Nicely presented, thank you

Thanks James! You rock.

Thanks for the awesome video!, but I have a question, what if the APIs are like a BFF (APIs that are tied specifically to your web/app)?, in that case can be "good" to use the ID token as a Bearer?. If we need to just sent the access token, how can we use custom attributes (or validate custom permissions) if the information is not available in the token itself without continuously fetching and validating the data?. Thanks!

Great explanation on the difference between access and id tokens. I have a question about access tokens in Auth0 (since as of now there is no agreed upon specification) How does the api receiving the access token know who the requester is (username/email)? The access token proves the user is authorized to request a resource, but has no information who the user is. So how could a remote api determine someones identity information without using the identity token?

Awesome content!! Thanks a lot 🙌🏾❤

Great explaination. Saved

Great explanation, thank you

Well explained. Thank you

Great explanation! However, I have a query here. In an enterprise app, the user is authenticated at the frontend app (built in react, angular, etc.) and have the access to ID token, which would be user for future authentication. Now the frontend app needs to access protected RESTful API endpoint. So, authorization will be implemented using the same Identity server (which will act as Authorization Server)? So, for an enterprise app, authentication and authorization can be done using same Identity Server?

i am very confused the role of id_token, after the application request to authentication server, the server will return id_token, access_token。in my opinion, application request the backend api will pass id_token to backend sever, and backend will use id_token to judge the user is logged? but according the video, id_token is not passed to api. so id_token returned only tell the application the user is logged a moment? id_token will no any effect when api calling？

Awesome, Thank you so much boss

I love this video. Very well made, the music and the animations are a great match. I think I know a few people that have or are using access tokens as a form of ID. This is a nuance that I only became aware after watching this video, so I definitely learned something new here. Thanks for making this video!

Can we send Id token to backend for getting the user's data? Note: Sending acces token for api authorisation as well

Nice video. Appreciated. Can we use both in the payment gateway integration

Just because an access token doesn't guarantee that a user is logged in does not, at all, seem to mean that we can't presume the user is authentic. They certainly did make authenticity clear in granting the resource access, so it does absolutely seem to be an authentication token. The only things that make it an authorization token, is if scopes are stored (and checked) associated with that token on the resource server. However, it's certainly also a claim of authenticity if it contains authentic claims for authorization. 😑🤨🤔

If id token is for bring user info in payload, why does it need to be JWT? What situation I would validate signature if it came from a redirect from IdP?

Awesome video

Great video.

Awesome. Thumbs up of course. I am just curious if there is a tool that I can use to decode an ID token in code, preferably a command line utility like jq but for ID tokens?

You are just awesome ❤

If the access token shouldn’t be sent to my API from my front end, how can my backend know that the user is logged in? Sure, the frontend knows but if it can’t ever convey that information to the backend when making requests, what is it good for? I’m probably missing something obvious but I’m honestly confused.

thanks man

Nice, One question - Can we add new claim to access token after logged in?

I have a dumb question. If an access token provides authorization but not authentication, how in the example does Twitter know what user they are posting as? Seems that there MUST be at least an implicit authentication here?

If you send an access_token to the API how the API knows that it is allowed to do something on behalf of Jone Doe? There is nothing related to John Doe in the token itself

well explained - thx!

Finally I understand ID token and Access token. Thank you so much sir!

Thank you.

Hello, how are you, there are applications that request a token, request that the client id and seceret key be sent, others an api token and a secret key, how is this different from, for example, sending user and pass?

Thank you

JWT is for Authorization

tokens are something i used at chucky cheese when i was a kid to play games. what does a token have to do with a computer or the internet? lots of people out there do not like 2fa.

Ok so what token can be sent to API if not ID token and auth token?

If ID tokens(JWT) should never be sent to an API, then how the hell a client can be authenticated ? Why Spring Boot has inbuilt methods and structure for signing and validating JWT if we are not going to sent JWTs to Spring Boot API ? Am I wrong or everywhere I read (Stackoverflow, tutorials , etc..) it said exactly the opposite of your statement ?

I love you, man

JWT sounds like "Jawt". I call them JWT "jawt" tokens because that is what I see when I see the three letters.

"ID Tokens should NOT be sent to an API" is still confusing for me. I guess in most cases you want a single sign on in your web application, so you do not have to deal with the user managemnet yourself. Now probably your web application consists of a frontend (let's say a SPA) and one (or more) backend. In this case, are the frontend and the backend different clients, with different client ids? Now, in the backend of my web app, I need to identify the user because it is my backend which has to do the authorization (in most of the cases checking the userid (sub) against an access control list). But apprently I can not use the id token for that purpose? Looking at a how-to from google-developes this seems to be the way to go: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-j_31hJtWjlw.html ... What is your preferred way of identifying an user in the backend? Using the backend's client_secret to introspect the id token, or use the access token to call the userinfo endpoint of the ID provider?

"...maybe not that stressful..." Sir, it definitely is. xD

❤

Can somebody explain to me about accesstoken more clearly???? 😅

Thanks for the video, is it possible to get the access token when the scope is set to openid? If yes, flow used in OAuth2.0 can be followed in Openid as well?

TL;DR - ID tokens are for id. Access tokens are for access. So confusing.

I miss the dislike counts being visible, RU-vid fucked users and creators. I’m sure this video has so little dislikes, a shame not to display the winning ratio

What is Identify provider? When we initially login / authenticate (a user) , is it against the Identify provider? Does identify provider provide the ID Token?

recap: ID token is the token return from JWT, Access token is the token return from Oauth2