I am pretty new with these protocols, and I am having some trouble understanding something.
I am currently working on an application which API and Frontend is mine, I use azure identity platform to receive the tokens on the clientside and send the token to the server that validates the token using passport-azure-ad bearerStrategy. (I have my app registration for that purposes ofcourse).
The thing that I don't get, is that I missed correctly used the tokens I received from azure in my client and sent the ID Token to my API, it verifes it as a valid one and user is authenticated to perform the request sent.
But, as I read here https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens, and in any other article about oAuth2 and openID, ID tokens are for UX stuff and client, while I should have used the access token in my request to my API.
But howcome the ID Token is also verified in my API? It makes no sense for me, or am I missing something?
And if so, is there any vurlnabilty in using Id Token as I did?
Thank you!
Access tokens and id tokens
1.3k views Asked by Shlomo Levi At
1
There are 1 answers
Related Questions in OAUTH-2.0
- discord.py - Oauth2 - join user to guild
- Implementing Incremental consent when using both application and delegated permissions
- Verifying Google Identity OAuth2 token with Ruby
- spring security error Caused by: org.attoparser.ParseException: Exception evaluating SpringEL expression: s
- Encountering HttpError 403 and 500 When Using Google Sheets API with Service Account
- get refresh token in axios interceptor
- spring error exception with oauth2 and securityconfig
- What oauth 2.0 endpoint is used to validate a bearer token
- Not enough permissions to access API request https://api.linkedin.com/v2/me
- How to specify the client ID and redirect URI in Swagger OAuth2.0 configuration for Swagger UI?
- OAuth2 PHP change invalid_token response
- Call Databricks API from an ASP.NET Core web application
- Secure to share Access Token over public API using CORs?
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- OAuth access token attribute based reverse proxying of http ressources
Related Questions in AZURE-ACTIVE-DIRECTORY
- How to authenticate only Local and Guest users in Azure AD B2C and add custom claims in token?
- Microsoft Entra ID - How to delete a tenant?
- Azure AD guest account in web app authentication user claims data
- Handling errors in MSAL Redirect - reactjs login with microsoft sso
- Azure Cross Cloud Auth using AAD
- Get id token from the access token
- Microsoft Identity does not work in docker desktop
- how to get refresh token in msal-browser Azure AD B2C login?
- Local DX for service-to-service authentication based on Managed Identities in Azure
- How can I add an identity provider to an existing user in an AWS Cognito user pool using the OIDC protocol?
- Azure B2C MFA custom policy flow 'try another way'
- How can I protect an Java Spring boot API against Azure AD B2C if I only have an id_token?
- Is there any way to get a new Azure CLI token without logging out?
- Code a Delegated Permission in Azure Powershell
- Service Principals I create are not being created as mine
Related Questions in OPENID-CONNECT
- Error from Identity Provider - OIDC Scope Error
- Blazor Web App (.Net 8) with oidc loses auth when switching to client
- Call Databricks API from an ASP.NET Core web application
- OIDC Error after adding Microsoft.IdentityModel.JsonWebTokens
- Implementing IDP Initiated Flow Using OIDC
- How can I add an identity provider to an existing user in an AWS Cognito user pool using the OIDC protocol?
- How can I protect an Java Spring boot API against Azure AD B2C if I only have an id_token?
- Migrating .gitlab-ci.yml from Terraform to OpenTofu with OIDC Setup
- Cookie not being set when using Blazor server App with individual authentication hooked up with Duende IdentityServer
- Blazor Web Assembly Standalone OIDC
- Azure AD OIDC authentication for S3 upload
- OIDC - Dummy Redirect URL a security issue?
- OPEN ID connect request to refresh access token
- Prevent deeplinking on redirect
- Google OIDC: How to get the member_key of an external SSO user?
Related Questions in AZURE-IDENTITY
- Having trouble implementing Microsoft Graph Java SDK to list licenses assigned to user
- Unable to connect to Azure Keyvault when I deploy ASP.NET Core 6 Web API (C#) , the docker image to docker desktop app
- Azure Cross Cloud Auth using AAD
- Get back deleted applications starting with 'dev' client-certificate authentication
- Using ManagedIdentity not service principle identity its custom user identity locally debug with c#?
- Username/Password Azure authentication without ClientID
- AppAuthentication to Azure.Identity Migration
- Logic app is not able to access blob storage getting 403
- Safari shows "non-secure form" when authenticating by Microsoft Azure Identity
- DefaultAzureCredential is not picking credential from the msal-node token cache
- Implement authentication using Azure AD (Azure Identity) for ASP.NET MVC app
- How to ignore errors from WorkloadIdentityCredentialBuilder?
- Azure active directory authentication with managed identities and function app api's
- Error java.lang.NoClassDefFoundError: reactor/netty/transport/ClientTransport
- Azure.Identity.CredentialUnavailableException when updating Azure.Identity from version 1.7
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
APIs should first validate the JWT access token, to check these fields have allowed values. An ID token will then fail the audience check.
Access tokens have scopes, whereas ID tokens do not. Every API endpoint should validate the received scope, eg to ensure that it has received the right type of token. This will also ensure that the API does not accept ID tokens.
So although some API tech stacks accept ID tokens, making the standard checks will ensure the right behavior. And the real API authorization is then done using claims, to apply your business rules.