I am a bit confused regarding Access token vs id_token.
I read the following:
- Id_Tokens are not meant for authorization
- Id_Tokens should not be sent to an API
- Access tokens are not used for authentication
But Im having a problem grasping the situation in "real life". For example
If my frontend receives a id_token from google sign in and sends it to the backend. Is it safe to create a JWT token that they can use to access recourses specific to that user from my own database, after I have controlled the id token with:
https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=id_token
Or do I need a access token for that scenario?
Id token is used for authentication (Sign-in, OpenID connect), think of it as your birth certificate. It identifies the user behind the machine as being well themselves.
access token is for authorization (Oauth2), they are bearer tokens. Think of it as your drivers license. Your drivers license gives you permission to drive a car. An access token gives the bearer of token access to a set of data. It is not necessarily the user themself. I could create a backend application that every night accesses your google analytics account and prepares a report for you ready for you when you get up in the morning. The access token gives my application access to your data. you cant be sure that the system using the access token is in fact the user.