Id Token vs Access Token

kris.macgillivray · January 21, 2022, 4:24pm

Trying to understand where to use Access Token vs ID token.

Auth0 is setup as the SP for on Application. We have configured a SAML connection to our IDp (which is connected to our Internal Active Directory).

The internal users will have certain defined roles in the application which we are passing as attributes to Auth0 via the saml connection. (Depending on the Active Directory Groups they are a member of)

We are adding the roles via rules in Auth0 to during authentication.

Should these roles be part of the Access Token, ID Token, both ?

sgo · January 21, 2022, 4:59pm

Hi @kris.macgillivray ,

ID Tokens should never be used to obtain direct access to APIs or to make authorization decisions. Therefore I would recommend putting the role information into your Access Tokens.

Any actual decisions made with respect to a user’s roles should be done from the information in the Access Token. Think of an ID token as a cache for the user’s profile, useful for populating a UI with their name etc, but not to be used for any authorization purposes.

dmytro.demakov · January 27, 2022, 1:56pm

Just wondered yesterday
Found this video extra helpful ID Tokens vs Access Tokens - Do you know the difference?! - YouTube

Topic		Replies	Views
Using only ID Token, with own roles/permissions database Get Help	2	1583	May 23, 2022
Using access token for Authorization Get Help	3	4091	February 18, 2019
Adding permissions in ID token Get Help oauth-2-0 , protocols	6	1785	April 12, 2024
Appropriate token usage for 1p webapp Get Help jwt , oidc , access-token , id-token	2	2181	September 27, 2022
Access token vs id token usage Get Help	3	3856	August 30, 2019

Id Token vs Access Token

Related topics