Table of Contents

Understanding ID Token, Access Token, and Refresh Token in OpenID Connect (OIDC)

3 minutes read
id token, refresh token, access token in oidc
Table of Contents

Welcome to an informative exploration into OpenID Connect (OIDC) territory, focusing on three key components that underpin its operation: the ID Token, Access Token, and Refresh Token. These tokens are fundamental to fully leverage OIDC’s secure user authentication and streamlined access to resources.

OpenID Connect (OIDC) – A Brief Overview

OpenID Connect (OIDC) serves as an identity layer built on the tried and tested OAuth 2.0 protocol. It assists clients to verify end-user identity authenticated by an authorization server while obtaining basic profile information of the end-user in an interoperable and REST-like manner.

Delving into the Tokens of OIDC

OIDC employs the use of three crucial types of tokens — ID Token, Access Token, and Refresh Token. Let’s take a closer look at each of these to comprehend their roles in the authentication schema.

ID Token

An ID Token acts as a trusted entity asserting user identity. Consider it as the digitized equivalent of an identity document. Taking the example of an ID token issued by a popular identity provider, Microsoft Entra ID (Azure Active Directory):

{
 "iss": "https://login.microsoftonline.com/{tenantid}/v2.0",
 "sub": "abcdefghijklmnoprstuvwxyz",
 "aud": "99887766554433221100",
 "nonce": "12345",
 "exp": 1492816484,
 "iat": 1492812884,
 "auth_time": 1492812884
}

Here, ‘iss’ (issuer) represents the identity provider, ‘sub’ (subject) is the ID of the user, ‘aud’ (audience) verifies the token’s intended recipient, and timestamps like ‘exp’ (expiration time), ‘iat’ (issued at), and ‘auth_time’ provide information about the token’s issuance and lifespan.

Access Token

An Access Token adopts the role of a gate pass, granting access to secured resources. To demonstrate, here is an example of an access token, again from Microsoft Entra ID:

{
  "iss": "https://login.microsoftonline.com/{tenantid}/v2.0",
  "aud": "https://graph.microsoft.com",
  "sub": "abcdefghijklmnoprstuvwxyz",
  "exp": 1492816484,
  "app_displayname": "My Cool App",
  "appid": "99887766554433221100",
  "scope": "User.ReadWrite.All"
}

In this access token, ‘iss’ represents the identity provider, ‘aud’ verifies that the API being called by your app is the intended recipient, ‘sub’ is the user, ‘appid’ is your application’s client ID, and ‘scope’ describes the level of access granted.

Refresh Token

Finally, we come to the Refresh Token. This serves to request new access tokens without needing the user to re-authenticate, thereby providing a seamless user experience. Although it doesn’t contain encoded data like the other tokens, it serves as a crucial reference for the identity provider to issue new access tokens. Here’s an example of a refresh token from Microsoft Entra ID:

OAQABAAAAAABnfiG-mA6NTae7CdWW7Qfdx-mU4mM9RiTII2ZYA_G9K9_xxxxxxxxxxxxxxxxxx

Conclusion

ID Tokens, Access Tokens, and Refresh Tokens together enhance both security and user experiences in OIDC-enabled applications. While the ID Token confirms the user’s identity, the Access Token governs access to server-protected resources, and the Refresh Token circumvents repeated manual user re-authentication. Each token does its part to convene a comprehensive authentication and authorization protocol able to secure and simplify user interactions in our increasingly digital world.

Written by the Datawiza team — hope you enjoyed! Join us if you have any questions or need any help on our Discord server.