{"id":4947,"date":"2019-08-16T11:58:00","date_gmt":"2019-08-16T15:58:00","guid":{"rendered":"https:\/\/www.freelancinggig.com\/blog\/?p=4947"},"modified":"2019-08-16T11:58:02","modified_gmt":"2019-08-16T15:58:02","slug":"openid-connect-difference-between-id_token-and-access_token","status":"publish","type":"post","link":"https:\/\/www.freelancinggig.com\/blog\/2019\/08\/16\/openid-connect-difference-between-id_token-and-access_token\/","title":{"rendered":"OpenID Connect Difference Between id_token and access_token"},"content":{"rendered":"

Hope you understand that a user will get a tokens pair after validating with OpenID Connect. Do you know why there are two different tokens which seemingly do the same kind of thing?<\/p>\n\n\n\n

The format of token and content is not definite by the standard of Open ID connect. They may be anything. It is normal for both tokens to be comparable, most of the time set to accurately the same value, but it does not need to be.<\/p>\n\n\n\n

Think carefully about OpenID Connect as a framework of authentication<\/a>, except just a protocol. It can fully support any type of authentication system, with whatsoever (existing) format of a token.<\/p>\n\n\n\n

There are different\nsolutions and providers: Facebook, Gmail, Forgerock, PingFederate, Microsoft\nActive Directory, and more… each and every one with its own peculiarities.<\/p>\n\n\n\n

As a professional developer\nthat has to put together one of these, you would need to know what is directly\nor indirectly coming out of that specific provider, just that one.<\/p>\n\n\n\n

Response of the Authentication<\/strong><\/p>\n\n\n\n

The specific application\nreceives a reaction like this upon a thriving authentication.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It can be a special\ntype of format, like this as an alternative.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The specific session token is to be effectively saved as a human cookie in a web browser or directly passed as a header for the access like programmatic.<\/p>\n\n\n\n

The thing is which particular one is the session, in case<\/a>, not both? We are just about to getting into that. (You can use the access_token by rule, not just the id_token)<\/p>\n\n\n\n

As a professional and\nexperienced developer, there are two different things to perfectly  care about authentication of user: <\/p>\n\n\n\n