ID Tokens vs Access Tokensfleeting
- External reference: https://oauth.net/id-tokens-vs-access-tokens/
- ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server.
- ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
- ID tokens should never be sent to an API. Access tokens should never be read by the client
Notes linking here
- As an openid provider (blog)
- keycloak provide many user related information in the access token by default.
- OAuth 2.0
- using id token as access token?