Understanding ID Token, Access Token, and Refresh Token in OpenID Connect (OIDC)

Welcome to an informative exploration into OpenID Connect (OIDC) territory, focusing on three key components that underpin its operation: the ID Token, Access Token, and Refresh Token. These tokens are fundamental to fully leverage OIDC’s secure user authentication and streamlined access to resources.
OpenID Connect (OIDC) – A Brief Overview
OpenID Connect (OIDC) serves as an identity layer built on the tried and tested OAuth 2.0 protocol. It assists clients to verify end-user identity authenticated by an authorization server while obtaining basic profile information of the end-user in an interoperable and REST-like manner.
Delving into the Tokens of OIDC
OIDC employs the use of three crucial types of tokens — ID Token, Access Token, and Refresh Token. Let’s take a closer look at each of these to comprehend their roles in the authentication schema.
ID Token
An ID Token acts as a trusted entity asserting user identity. Consider it as the digitized equivalent of an identity document. Taking the example of an ID token issued by a popular identity provider, Microsoft Entra ID (Azure Active Directory):
{ "iss": "https://login.microsoftonline.com/{tenantid}/v2.0", "sub": "abcdefghijklmnoprstuvwxyz", "aud": "99887766554433221100", "nonce": "12345", "exp": 1492816484, "iat": 1492812884, "auth_time": 1492812884 }
Here, ‘iss’ (issuer) represents the identity provider, ‘sub’ (subject) is the ID of the user, ‘aud’ (audience) verifies the token’s intended recipient, and timestamps like ‘exp’ (expiration time), ‘iat’ (issued at), and ‘auth_time’ provide information about the token’s issuance and lifespan.
Access Token
An Access Token adopts the role of a gate pass, granting access to secured resources. To demonstrate, here is an example of an access token, again from Microsoft Entra ID:
{ "iss": "https://login.microsoftonline.com/{tenantid}/v2.0", "aud": "https://graph.microsoft.com", "sub": "abcdefghijklmnoprstuvwxyz", "exp": 1492816484, "app_displayname": "My Cool App", "appid": "99887766554433221100", "scope": "User.ReadWrite.All" }
In this access token, ‘iss’ represents the identity provider, ‘aud’ verifies that the API being called by your app is the intended recipient, ‘sub’ is the user, ‘appid’ is your application’s client ID, and ‘scope’ describes the level of access granted.
Refresh Token
Finally, we come to the Refresh Token. This serves to request new access tokens without needing the user to re-authenticate, thereby providing a seamless user experience. Although it doesn’t contain encoded data like the other tokens, it serves as a crucial reference for the identity provider to issue new access tokens. Here’s an example of a refresh token from Microsoft Entra ID:
OAQABAAAAAABnfiG-mA6NTae7CdWW7Qfdx-mU4mM9RiTII2ZYA_G9K9_xxxxxxxxxxxxxxxxxx
How Datawiza Helps?
Datawiza provides a no-code solution to add OIDC or SAML auth to your apps so that you don’t have to implement it by yourself! It supports Microsoft Entra ID, Azure AD B2C, Amazon Cognito, Google, Okta, Auth0, Cisco Duo, Ping Identity, KeyCloak and others. Interested in learning more about it? Book a demo today.



