Auth0 Home Blog Docs

Accesstoken and Id-Token. Which one to use and how to validate an opaque accesstoken?


Hi there,

im currently implementing SSO like login for my application.
The infrastructure is like this:

Third Party authentication -> Auth0 -> My Angular Frontend -> My Backend API (.Net Core 2.1).

Please note my Backend API wont issue any further requests to another API.

For my angular frontend im using the implicit grant to get and accesstoken and IDtoken.
The question is wether to reuse the accesstoken in my Backend API or the Id-Token.

Accordingly to the Auth0 Documentation i should use the access token to secure my API.
Altough as far is I understand this would be the case if my API is standalone.
In my case the API is part of the same application as my frontend therefore using the ID-Token could suffice?

Personally i would prefer using the accesstoken and revalidate it with auth0 in the backend.
But i couldn’t find any resource how to accomplish this (preferibly with built-in ways of .net core).
The quickstart guide only shows how to parse a JWT.
In my case the access-token is an opaque string, though.