What is the difference between ID Token and Access Token
After an authentication, cidaas approves the correctness of provided information with a token. OAuth2 and OpenID Connect work with different tokens. Either way, cidaas will provide an access token based on OAuth2 standard. The token is built up as a JWT (JSON Web Token), which is essentially a base64-encoded JSON format. Optionally, in a user authentication, cidaas can also provide an ID token, which is based on OIDC standard and also built up as a JWT.
| Access Token | ID Token |
|---|---|
| An access token will always be issued after an authentication process. | An ID token is only issued if you request openid scope |
| The access token secures the access for a particular resource | The ID token's purpose is to ensure that the user has been authenticated, so to prove the identity |
| Defined by OAuth2 Standard | Defined by OIDC Standard |
Decode Your Tokens: You can decode and inspect your JWT tokens (both Access Tokens and ID Tokens) using the JWT Decoder. This tool allows you to view claims, insights into issued and expiration times, as well as other metadata of tokens.
Find out more about the respective value by clicking on the claim, e.g., about amr values, roles and scopes.
Access Token
| Access Token Claim | Is Standard? | Description (where is it set, in which case) |
|---|---|---|
exp | REQUIRED | Expiration time on or after which the ID Token MUST NOT be accepted for processing. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. (Always set) |
iat | REQUIRED | The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value must be a number containing a NumericDate value. |
jti | REQUIRED | The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string. |
sub | REQUIRED | The subject. A unique identifier for the user. |
aud | REQUIRED | Identifies the audience that this ID token is intended for. It is one of your application's OAuth 2.0 client IDs. |
auth_time | OPTIONAL | (required if max_age is asked) The time the end user was authenticated, represented in Unix time (seconds). |
iss | REQUIRED | The "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. |
nonce | OPTIONAL | A value that is returned in the ID token. It is used to mitigate replay attacks. The value is required for implicit and hybrid flows, but optional for auth code flows. |
ua_hash | - | MD5 hashing of user agent(An MD5 hash is created by taking a string of any length and encoding it into a 128-bit fingerprint.) |
sid | OPTIONAL | Identifier for the Session. |
isub | - | identity used to login |
groups | - | The groups that the user is a member of that also match the ID token group filter of the client app. |
scopes | - | OpenID Connect uses scope values to specify which access privileges are being requested for access tokens. |
amr | OPTIONAL | Verification Methods References. JSON array of strings that are identifiers for verification methods used during authentication |
roles | OPTIONAL | A list of roles for the user that collectively represent who the user is, e.g., "Student", "Faculty". |
ID Token
| ID Claim | Is Standard? | Description (where is it set, in which case) |
|---|---|---|
sub | REQUIRED | The subject. A unique identifier for the user. |
aud | REQUIRED | In id_tokens, the audience is your app's Application ID, assigned to your app. |
iss | REQUIRED | Identifies the issuer, or "authorization server" that constructs and returns the token |
iat | REQUIRED | "Issued At" indicates when the authentication for this token occurred. |
exp | REQUIRED | The "exp" (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. |
auth_time | CONDITIONAL | When a max_age request is made then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. |
nonce | CONDITIONAL | The nonce matches the parameter included in the original /authorize request to the IDP. If it does not match, your application should reject the token. |
amr | OPTIONAL | Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. |
acr | OPTIONAL | Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string. |
azp | OPTIONAL | Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value. |
c_hash | CONDITIONAL | Code hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url encode them. The c_hash value is a case sensitive string. If the ID Token is issued from the Authorization Endpoint with a code, which is the case for the response_type values code id_token and code id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL. |
at_hash | CONDITIONAL | Access Token hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string. If the ID Token is issued from the Authorization Endpoint with an access_token value, which is the case for the response_type value code id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL. |
| userfields | ||
preferred_username | REQUIRED | The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. |
email | The email claim is present by default for guest accounts that have an email address. Your app can request the email claim for managed user's (those from the same tenant as the resource) using the email optional claim. | |
name | OPTIONAL | The name claim provides a human-readable value that identifies the subject of the token. The value isn't guaranteed to be unique, it can be changed, and it's designed to be used only for display purposes. |
address,email_verified phone offline_access nickname preferred_username gender birthdate updated_at given_name family_name updated_at phone_number, phone_number_verified locale zoneinfo | OPTIONAL | These claims are optional |
ua_hash | - | md5 hasing of user agent(An MD5 hash is created by taking a string of an any length and encoding it into a 128-bit fingerprint.) |
nbf | The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.nbf Reference | |
roles | The set of roles that were assigned to the user who is logging in. | |
jti or uti | - | Token identifier claim, equivalent to jti in the JWT specification. Unique, per-token identifier that is case-sensitive. |
ver | Indicates the version of the id_token. | |
scopes - openid | - | Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the behavior is entirely unspecified. |
user_status | - | Status of the user |
last_accessed_at | - | Timestamp of the user's last activity |
last_used_identity_id | - | identity of the user's last access |
provider | - | eg: type of registration self/c-space |
sid | - | This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. Reference |
Need Support?
Please contact us directly on our support page.