Types of Security Token
This article demonstrates different types of tokens in OpenID Connect. At the end of this article, you will have a clear understanding of the below points,
About JSON Web Tokens (JWT).
-
What is an Access Token?
- Example of an Access Token.
- Why do we need an Access Token?
-
What is an ID Token?
- Example of an ID Token.
- Why do we need an ID Token?
-
What is a Refresh Token?
- Example of a Refresh Token.
- Why do we need a Refresh Token?
About JSON Web Token (JWT)
- JWT i.e. JSON Web Tokens is an important piece in ensuring trust and security in your application.
JWT allows claims such as user data to be represented securely.
A JWT is represented as a sequence of base64url encoded values that are separated by a dot character. Its ideal format is like “Header.Payload.Signature”, where the header keeps metadata for the token. The payload is the claims of the entity (typically a user) and a signature for the signed token.
The Signed token is generated by combining the encoded JWT header and Payload and it is signed by using an encryption algorithm like HMAC SHA–256. The signature private key is always held by the server so it will be able to verify existing tokens as well as sign new tokens.
JWT could be used as an opaque identifier and could be inspected for additional information – such as identity attributes that it represents as claims.
Sample JWT token format could look like
What is an Access Token?
Access tokens are credentials used to access protected resources.
Access tokens are used as bearer tokens. A bearer token means that the bearer (who holds the access token) can access authorized resources without further identification.
Because of this, bearer tokens must be protected.
These tokens usually have a short lifespan for security purposes. When it expires, the user must authenticate again to get a new access token limiting the exposure of the fact that it is a bearer token.
Access token must never be used for authentication. Access tokens cannot tell if the user has authenticated. The only user information the access token processes is the user id, located in sub-claims.
The application receives an access token after a user successfully authenticates and authorizes access. It is usually in JWT format but does not have to be.
The application should treat access tokens as opaque strings since they are meant for APIs. Your application should not attempt to decode them or expect to receive a token in a particular format.
This token does not contain any information about the user itself besides their ID (“sub”). It only contains authorization information about which actions the application is allowed to perform at the API (“scope”). This is what makes it useful for securing an API, but not for authenticating a user.
An access token is put in the Authorization header of your request, usually looks like Bearer “access_token” that the API you are calling can verify and grant you access.
Example of an Access Token
Here is the sample response from the token endpoint! The response includes the ID token and access token. Your application can use the access token to make API requests on behalf of the user.
{
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "vCwWSQiaYhMHN2IbnEijtDWJ-BpiHbPohI6tOVrkrUrL2MqlF05K84MhBzvoC6iShEdUXl7t",
"scope": "openid profile email photo",
"id_token": "eyJraWQiOiJzMTZ0cVNtODhwREo4VGZCXzdrSEtQUkFQRjg1d1VEVGxteW85SUxUZTdzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJmcmlnaHRlbmVkLWhlcnJpbmdAZXhhbXBsZS5jb20iLCJuYW1lIjoiRnJpZ2h0ZW5lZCBIZXJyaW5nIiwiZW1haWwiOiJmcmlnaHRlbmVkLWhlcnJpbmdAZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL3BrLWRlbW8ub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJpVnUwQUMyOFFHLXNwc1psWk1janFRY2EiLCJpYXQiOjE2MDQyMTY1MzgsImV4cCI6MTYwNjgwODUzOCwiYW1yIjpbInB3ZCJdfQ.ZoPvZPaomdOnnz2GFRGbgaW7PPWIMFDqSBp0gbN4An4a9F-Bc-4_T9EBGV8aGetyjZYAON0gjNV0p0NGFiwettePWKuxBzusuGCEd9iXWWUO9-WTF5e2AGr3_jkg34dbxfiFXy3KgH7m0czm809cMaiZ_ofLYgJHVD8lqMQoWifhoNhpjPqa19Svc3nCHzSYHUgTXQWvA56NmQvyVPh_OM7GMpc6zHopmihJqt3eREof8N-bOd7FL39jeam2-k1TFSDogyJE513aC0OssRADr_TWvtL8xoaPkXM_7bXYs9_7erXmzF9la0hvmOuasieetpLhOvFeoiOJWCU9xhxj4Q"
}
Why do we need an Access Token?
Access tokens are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions specified by the scope. It is used to authorize API access.
What is an ID Token?
OpenID Connect always issues ID tokens along with access tokens to provide compatibility with OAuthand match the general tendency for authorizing identity.
ID token carries personal information about end-users that authenticate on an OpenID Connect flow. In addition, this security token contains claims data about the user as saved with the authentication server.
The ID token represents JWT. For example,
If there is an app that uses google to login into users and syncs their calendars, google sends an Id token to the app that includes information about the user.
This token authenticates the user to the application. The audience of this token is set to the application’s identifiers, which means a specific application should consume the token.
Identity token payload contains “auth_time” (when the end-user authenticated), “iss” (who has issued the token), “aud” (Intended audience), “sub” (unique identifier of the user), “idp” etc.
Example of an ID Token (JWT)
Here is the sample response from the token endpoint! The response includes the ID token and access token.
{
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "vCwWSQiaYhMHN2IbnEijtDWJ-BpiHbPohI6tOVrkrUrL2MqlF05K84MhBzvoC6iShEdUXl7t",
"scope": "openid profile email photo",
"id_token": "eyJraWQiOiJzMTZ0cVNtODhwREo4VGZCXzdrSEtQUkFQRjg1d1VEVGxteW85SUxUZTdzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJmcmlnaHRlbmVkLWhlcnJpbmdAZXhhbXBsZS5jb20iLCJuYW1lIjoiRnJpZ2h0ZW5lZCBIZXJyaW5nIiwiZW1haWwiOiJmcmlnaHRlbmVkLWhlcnJpbmdAZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL3BrLWRlbW8ub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJpVnUwQUMyOFFHLXNwc1psWk1janFRY2EiLCJpYXQiOjE2MDQyMTY1MzgsImV4cCI6MTYwNjgwODUzOCwiYW1yIjpbInB3ZCJdfQ.ZoPvZPaomdOnnz2GFRGbgaW7PPWIMFDqSBp0gbN4An4a9F-Bc-4_T9EBGV8aGetyjZYAON0gjNV0p0NGFiwettePWKuxBzusuGCEd9iXWWUO9-WTF5e2AGr3_jkg34dbxfiFXy3KgH7m0czm809cMaiZ_ofLYgJHVD8lqMQoWifhoNhpjPqa19Svc3nCHzSYHUgTXQWvA56NmQvyVPh_OM7GMpc6zHopmihJqt3eREof8N-bOd7FL39jeam2-k1TFSDogyJE513aC0OssRADr_TWvtL8xoaPkXM_7bXYs9_7erXmzF9la0hvmOuasieetpLhOvFeoiOJWCU9xhxj4Q"
}
Why do we need an ID Token?
The ID token is used to retrieve the user’s basic profile information like name, DOB, email, and phone, which is present in the authentication server. ID token should not be used to gain access to an API.
What is a Refresh token?
This token is long-lived compared to the access token and is used to request a new access token in cases where it is expired.
It can be considered as credentials used to obtain access tokens.
It's allowed for long-lived access and is highly confidential.
Refresh tokens can be used for grant types – authorization code and password credentials grant.
Refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
You will receive this in an encoded format only that cannot be decoded. An example could be 494c427ace9e04dea03c7234cea96c5ca53e0ce4ea95147e961fd9ebcf8feb84
Example of a Refresh Token
Here is the sample response from the token endpoint! The response includes the access token along with the refresh token.
{
"access_token":"ya29.a0AfH6SMARVjPq6G2y_P3hn3mbDdnRVrTGwO1ZkTXvUHye9wcpAPyiRKilq6Wh20TRbVx0nA1Nn8z1cpk_Jjs6qRwDvbOFNZhpA8e2GxDRcJ_PlrhlMnauvxktSDkjUyG-NWwuckHpiaOfr_uITriM0aS2t3HbGIKQJiU",
"scope":"https://mail.google.com/",
"token_type":"Bearer",
"expires_in":3599,
"refresh_token":"1//0419Pth1mYFyBCgYIARAAGAQSNwF-L9IrcV8zK4wHDznJqUbeXrcEoE2O-Tmz7ryNpztTrLOiYOvs-0z4hxddGBpcKc0pEzLcWFI"
}
Why do we need Refresh token?
As access token has defined lifetimes, there could be a possibility that the current access token becomes invalid or expires. This is the token used to request new access tokens without user interaction.
Requesting an access token using a refresh token
While requesting a refresh token, the scope should be set as offline_access to the scope parameter.
Method: POST
Content-Type: application/x-www.form-urlencoded
Authorization: Bearer “access token”
https://authorization-server.com/token?
grant_type=refresh_token
&refresh_token =<<refresh_token>>
&scope=offline_access
Application receives an access token with redirect URI.
{
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "QKY08tqDO8aeNebZbfgUFs1PH-cjerK2WBvE9FZpYGgZHnS_nLfhKYTECMBmPF_chz5GipOA",
"scope": "photo offline_access",
"refresh_token": "8V2dMpzRqB5cQDvoTb6X_Msl"
}
Last Minute Summary
Below is a quick reference of all the tokens at a glance,
Access tokens are used in token-based authentication to gain access to resources by using them as bearer tokens.
Refresh token is a long-lived special kind of token used to obtain a renewed access token.
ID token carries identity information encoded in the token itself, which must be a JWT. It must not contain any authorization information, or any audience information — it is merely an identifier for the user.
Top comments (2)
I think there is some good stuff in this article, although I will point out the following no-so-great advice:
Only EdDSA should be used, HMAC never, and RSA rarely. If your auth provider isn't using EdDSA, you actually want to switch providers.
This is nonsensical, access tokens are generated as a result of authentication. Saying they must not be used for authentication, doesn't make sense. Further, the holder of an access token has authenticated! Also the access token can contain any information, there are no limitations on what can be in the access token.
This is just wrong, the ID token is only used to contain OpenID user information, it has no intended purpose, and should never be used for any type of security related action.
The password credentials grant should never be used, and refresh tokens must and can only be used with
refresh_token
grant type.For a more advanced info on the topic I recommend something like this FAQ which has a lot of JWT based answers.
Brilliant article and I love the appropriate use of MEMEs