I am pretty new with these protocols, and I am having some trouble understanding something.
I am currently working on an application which API and Frontend is mine, I use azure identity platform to receive the tokens on the clientside and send the token to the server that validates the token using passport-azure-ad bearerStrategy. (I have my app registration for that purposes ofcourse).
The thing that I don't get, is that I missed correctly used the tokens I received from azure in my client and sent the ID Token to my API, it verifes it as a valid one and user is authenticated to perform the request sent.
But, as I read here https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens, and in any other article about oAuth2 and openID, ID tokens are for UX stuff and client, while I should have used the access token in my request to my API.
But howcome the ID Token is also verified in my API? It makes no sense for me, or am I missing something?
And if so, is there any vurlnabilty in using Id Token as I did?
Thank you!
Access tokens and id tokens
1.3k Views Asked by Shlomo Levi At
1
There are 1 best solutions below
Related Questions in OAUTH-2.0
- Not getting refresh token with google oauth2
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- How can I share Azure Active Directory authentication between server side and client script?
- OAuth2 and API Json request not working with jQuery Call
- Flask-Restful, oauth, and Salesforce
- Bearer token in MVC controller to access Web API
- Revoking OAuth tokens in Mule
- how to signup user using google-plus integradation in web?
- Need to run getAuthToken twice before receiving access token, why?
- chrome.identity.getAuthToken and refresh token?
- dropbox api authentication (Error: [400] 'invalid_client')
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- hello.js: Is it possible to set the provider's settings dynamically?
- How to share developer account at LinkedIn
- Linkedin Unsupported POST target
Related Questions in AZURE-ACTIVE-DIRECTORY
- MultipleTokensMatched exception when using default TokenCache
- How can I share Azure Active Directory authentication between server side and client script?
- Azure AD Change Password with patch call
- Azure Active Directory Login: Web App Permissions, User Consent not triggered
- ADALJS Error description:AADSTS65001: No permission to access user information is configured for 'clientId' application, or it is expired or revoked
- app is re-initializing the first time ADAL "protected" URL is accessed via $http
- Validate access token for WEB API protected by Azure AD
- Azure AD Graph API: Is it possible to enumerate all groups associated with an application role?
- Is is possible to use Azure AD as a SAML compliant Identity Provider?
- Microsoft Graph API Accessing basic info of a user that is outside tenancy
- RoundCube OAuth with Azure Active Directory
- Deploy Azure AD WebAPI to IIS, with Windows Authentication enabled, skips Azure AD Authentication
- How to change Is Multiple Resource Refresh Token to true in Azure AD authentication?
- Azure, login to separate accounts with one email
- How to setup nginx to authenticate users through Azure AD?
Related Questions in OPENID-CONNECT
- OpenID Connect Account linking
- Authentication with OAuth and JWT but without OpenID Connect
- How to retrieve an OpenID Connect Identity Token from a cookie
- Windows Live Open ID Connect/Oauth 2.0 How to use for SSO with Apache mod_auth_openidc
- Get the user's email address from Azure AD via OpenID Connect
- Validate an Access Token at the Resource Server and Respond Accordingly
- Google OAuth: What do the various fields in id_token stand for?
- Role based Authorization on WebApi Controllers in IdentityServer4?
- Does OpenID Connect support resource sharing
- Manual accesstoken generation using OpenIdConnect Server (ASOS)
- Failing Okta OAuth2 token validation in AspNetCore
- OpenID Connect Standard: Authorized Party azp Contradiction
- Storage of OAuth access tokens in Javascript clients (e.g. Angular)
- Implementing SSO using OpenID Connect and usage of tokens
- Azure AD OpenIDConnect + ASP.NET Core - Authenticate and Extra Permissions/Token?
Related Questions in AZURE-IDENTITY
- Best Practive: Azure Identity for multiple services
- Azure python function app cant load azure-identity module
- Azure Table JavaScript issue
- Can we create with same deviceid in both IOT Edge and Devices under IOT Hub Device management
- Managed identity access to storage using Flask application
- Error getting Azure secret value by secret name in python
- "User account does not exist in organization" when using Microsoft Graph API
- Open liberty connecting Azure postgreSql database with azure workload identity
- Managed identity only creates an empty container but not a blob
- How block user from creating Azure Subscription
- How to cache token with Microsoft Graph for Java
- Alternative approach to specify user managed identities with DefaultAzureCredential in python SDK
- Access tokens and id tokens
- Revoking a role from Azure User Assigned Managed Identity
- Azure Python SDK automation runbook - error - 'ClientSecretCredential' object has no attribute 'signed_session'
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
APIs should first validate the JWT access token, to check these fields have allowed values. An ID token will then fail the audience check.
Access tokens have scopes, whereas ID tokens do not. Every API endpoint should validate the received scope, eg to ensure that it has received the right type of token. This will also ensure that the API does not accept ID tokens.
So although some API tech stacks accept ID tokens, making the standard checks will ensure the right behavior. And the real API authorization is then done using claims, to apply your business rules.