Confusion around Authorization

mnj · February 27, 2022, 1:21pm

Hi All,
I’ve read lots of articles about authorization and actually worked on a few solutions that use it. However, I still find the term confusing.

When is Authorization actually happening? I believe it is the moment when a resource verifies an access token and decides whether it should grant me access to some data or not. Is that correct? For a long time, I thought that the act of receiving an access token by itself is already “authorization”. If not, what is it, how do we call it? In some sense, I feel that it also is authorization, because not everyone can receive access tokens. But probably I’m confusing here two separate things:

authorization to get an access token
authorization to access the actual data

Another confusion is when people say that ID Tokens are about authentication. I understand the fact that they may be used to display the username on the website and since we trust the token issuer, we trust the data in the token signed by that issuer. Why did we split ID Tokens and Access Tokens? Why isn’t it the same thing, just differing in the amount of information? I mean, if I ask for a token with a scope “profile” I will get some token with just profile information. If I ask for a token with scopes “profile read_mail” I’d get a similar token with some added scope. Why we don’t have just one kind of “token”?

markd · February 27, 2022, 8:05pm

Hello @mnj,

I would suggest you are correct on the first point. Terminology is never going to be exact and terms like this are debated endlessly in the identity space. It is worth noting that “authorization” in the context of OAuth is actually not accurate. OAuth allows a resource owner to delegate to a 3rd party (limited) authority over a resource that the resource owner owns. But there’s a catch which you allude to: it is ultimately the resource server that will decide whether the the access is allowed, no matter what authority the resource owner has agreed to. As smarter people than I have put it: OAuth is a delegation protocol, not an authorization protocol (and to be pedantic, it’s not even a protocol!)

ID Tokens are part of OpenID Connect, not OAuth. Access tokens are part of OAuth. The audience for an ID token is the client application, where the audience for an access token is an API. Access Tokens do not need to be JWTs, though that is how they are often implemented (OAuth says nothing about the nature or content of an access token). ID Tokens must be JWTs. They are different objects from different specs for very different purposes.