In the OIDC protocol:
ID token
is a JWT token (usually short-lived) that contains explicit claims about the agent's identity. It is an optimization strategy to access identity data quickly without having to execute a lookup in a slower persistent storage. ID token are used for authentication, not for resource access. They do not define the concept ofscopes
.Access token
can be a JWT token (usually short-lived), but this is not a requirement. They are used as bearer token to validate resources access. That validation is done viascopes
. The only piece of identity that am Access token contains is the agent's ID.Refresh token
. A refresh token is a long-lived token whose purpose is to renew short-lived tokens (ID token or Access token). This helps preventing man-in-the-middle attack by refreshing often the short-lived token. The refresh token cannot be used to authenticate or authorize an agent access. It can only be used to renew a token. Because thise renewal happens infrequently, it should decrease (but definitely not remove) the risk of being intercepted. Refresh tokens are highly sensitive and must be stored with extreme care. When they are used in a web browser, it ise recommended to store them in ahttp-only
cookie (more details in this article). It is also recommended to support the ability to revoke them for all or some of your agents in case of security breach.
References:
https://medium.com/@darutk/understanding-id-token-5f83f50fa02e
The OAuth2 protocol does not impose any rules on how to build tokens, but the OIDC does. OIDC uses a series of reserved claim names (for an exhaustive list, please refer to https://tools.ietf.org/html/rfc7519#section-4). For example, with OIDC, an ID token must be a JWT token containing the following claims at a minimum:
iss
- Issuer: Principal that issued the JWT.sub
- Subject: Principal that is the subject of the JWT.aud
- Audience: Recipients that the JWT is intended for.iat
- Issued At: Time at which this token was created expressed in epoch seconds.exp
- Expiration: Time at which this token expires expressed in epoch seconds.