1

I'm currently trying to build a very simple application for handling OpenID Connect using the library Openiddict. This library lets me construct the access_token and the id_token and lets me set which claims/attributes to include in which token. And this is the part that I cant quite wrap my head around.

Which type of claims/attributes are supposed to go in the access_token? and which goes in the id_token? I have tried to ask a few colleagues of mine, but end up getting different answers.

Lets for instance say that we have claims/attributes such as:

  • firstName
  • lastName
  • age
  • gender
  • role (could be multiple, as in admin, or editor or some other "role" that grants a set of permissions within our application).

Into which token would I put those? and please explain to me the logic behind why one claim/attribute would belong to one of the tokens.

Rohit Gupta
  • 203
  • 2
  • 3
  • 12
Inx51
  • 261
  • 1
  • 5

1 Answers1

-1

OpenID Connect, which is built on top of OAuth 2.0, uses two types of tokens: an access_token and an id_token. Understanding the purpose of these two tokens can help you decide which claims or attributes to include in each.

  1. Access Token: The access_token is intended to be used when making requests to the resource server (your API). It is meant to authorize requests, not to convey user identity information. That being said, it can contain scopes or roles (i.e., permissions) to help the resource server understand what the client (or the user on behalf of whom the client is acting) is allowed to do. For instance, you might include the role claim in the access token.

  2. ID Token: The id_token is intended to convey user identity information to the client. It's provided to the client application by the authorization server, and it provides proof that the user has authenticated, along with basic profile information about the user. This is where you'd typically include claims like firstName, lastName, age, and gender.

So, following this logic, in your case:

  • firstName, lastName, age, and gender should be included in the id_token because they're primarily related to user identity.
  • role should be included in the access_token because it relates to what the client is allowed to do when making requests to your API on behalf of the user.

Of course, there might be exceptions based on specific requirements of your application. If, for example, your resource server (API) needs to know the age or gender of the user for some reason, you might include those claims in the access_token too.

Remember, one of the important principles of using these tokens is to minimize the amount of sensitive user information they carry. Always include only what is necessary for the operation of your application.

tomasantunes
  • 183
  • 2