I’ve read lots of articles about authorization and actually worked on a few solutions that use it. However, I still find the term confusing.
- When is Authorization actually happening? I believe it is the moment when a resource verifies an access token and decides whether it should grant me access to some data or not. Is that correct? For a long time, I thought that the act of receiving an access token by itself is already “authorization”. If not, what is it, how do we call it? In some sense, I feel that it also is authorization, because not everyone can receive access tokens. But probably I’m confusing here two separate things:
- authorization to get an access token
- authorization to access the actual data
- Another confusion is when people say that ID Tokens are about authentication. I understand the fact that they may be used to display the username on the website and since we trust the token issuer, we trust the data in the token signed by that issuer. Why did we split ID Tokens and Access Tokens? Why isn’t it the same thing, just differing in the amount of information? I mean, if I ask for a token with a scope “profile” I will get some token with just profile information. If I ask for a token with scopes “profile read_mail” I’d get a similar token with some added scope. Why we don’t have just one kind of “token”?