Konubinix' opinionated web of thoughts

Using Id Token as Access Token?

Fleeting

When one follows the OpenID Connect flows, (that means the OAuth 2.0 flows with the scope openid), per gets an Identity Token as well as an access token. One would be tempted to use this ID Token to get access to the resources and drop the access token.

I’m totally fine with that, but there are a few situations where it might be ill suited. Here are the fundamental differences I found out that should be thought about before separating authentication and authorization (see OIDC vs OAuth2).

semantically

ID Token and access token are two really different things, built on two different layers of the open id protocol.

This means that the knowledge those token convey don’t have the same granularity. You may have access to an ID token that says who you are, while be refused the access to some resources. Or you might want to provide access to some resource without revealing the user identity.

in terms of lifetime

OAuth 2.0’s access token defines the key to get access to some resource. This makes it very critical and hence it should have a very short lifetime. Indeed, in case of access token theft, the thieve would have access to the resource only for a very short period of time, after which another communication with the authorization server is needed (using the refresh token for example) to get a fresh access token. Putting the authorization server at the center of this process eases access revocation.

On the other hand, the ID Token gives knowledge about the user. It may have some expiration date to incentive the client to get some up-to-date information about the user, but it does not need to.

in terms of size

The access token is a bearer token. That means that it must be transmitted to the resource server to get access to the resource. Also, in the initial flows, it is provided in the url.

Hence, it must be as small as possible.

Actually, the JWT, JWS and JWE standard (also defined by the OAuth 2.0 guys), have in mind the need to keep the data as short as possible. This is why JWT defines 3 character long claim keys and JWS and JWE define compact serialization. Even if not explicitly told, it transpires that this is exactly to fulfil the access token purpose.

The JWS Compact Serialization is a compact, URL-safe representation intended for space constrained environments such as HTTP Authorization headers and URI query parameters

https://datatracker.ietf.org/doc/html/rfc7515

In contrast, the ID Token may provide a bunch of information about the user. It may end in a quite big token.

Using an ID Token as an access token results in transmitting for every request a token that is unnecessarily big.

in term of security

Because the id token is not meant to be used that way, the associated flows don’t focus that much on making sure an attacker cannot get access to it.