Rahul Vijayvergiya

Posted on Jun 12

Access Tokens vs Refresh Tokens vs ID Tokens

#tokens #jwt #idtoken #refreshtoken

In modern web and mobile applications, securing communication between clients and servers is critical. Tokens play a significant role in this process, especially in authentication and authorisation mechanisms. Among these tokens, Access Tokens, Refresh Tokens, and ID Tokens are the most commonly used. This article explores their differences, purposes, and how they work together to provide secure and efficient access control.

1. Access Tokens

Purpose:

Access Tokens are primarily used to authorise access to protected resources or APIs. When a user logs into an application, the application requests an Access Token from an authorisation server (like OAuth 2.0). This token is then used to access resources on behalf of the user.

Characteristics:

Short-lived: Access Tokens typically have a short lifespan, usually ranging from a few minutes to a few hours. This minimises the risk of misuse if the token is compromised.
Bearer Token: They are usually bearer tokens, meaning that any party in possession of the token can use it to access the associated resources.
Stateless: Access Tokens are generally stateless, meaning the server does not need to store token details; instead, it validates the token based on its signature and claims.

Usage:

When an application needs to access protected resources, it includes the Access Token in the HTTP Authorisation header as a Bearer token:

GET /resource HTTP/1.1
Host: api.example.com
Authorization: Bearer <access_token>

2. Refresh Tokens

Purpose:

Refresh Tokens are used to obtain a new Access Token without requiring the user to re-authenticate. This is particularly useful for maintaining a seamless user experience in applications where users need continuous access over extended periods.

Characteristics:

Long-lived: Refresh Tokens typically have a longer lifespan compared to Access Tokens, often lasting days, weeks, or even months.
Secure Storage: They must be stored securely (e.g., using encrypted storage) because their long lifespan increases the risk if they are compromised.
Revocable: The server can revoke Refresh Tokens at any time, for instance, if a user logs out or if there are security concerns.

Usage:

When an Access Token expires, the application sends the Refresh Token to the authorisation server to obtain a new Access Token:

POST /token HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=<refresh_token>

3. ID Tokens

Purpose:

ID Tokens are used to authenticate the user and provide identity information. They are commonly used in OpenID Connect (OIDC), which is an identity layer built on top of OAuth 2.0.

Characteristics:

JWT Format: ID Tokens are typically JSON Web Tokens (JWT), which are compact and URL-safe, making them easy to pass around in web applications.
Claims: They contain claims about the user, such as user ID, name, email, and other profile information.
Short-lived: Like Access Tokens, ID Tokens also have a short lifespan to reduce security risks.

Usage:

When a user logs in, the authorisation server issues an ID Token along with the Access Token. The ID Token can be used by the client to get user information without querying the user database:

{
  "iss": "https://auth.example.com",
  "sub": "1234567890",
  "aud": "client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "name": "John Doe",
  "email": "john.doe@example.com"
}

Differences and How They Work Together