Different Tokens
Tokens are artifacts that allow application systems to perform the authorization and authentication process.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an identity protocol that performs user authentication, user consent, and token issuance. OIDC uses ID Tokens.
The Open ID Connect protocol is built on top of OAuth 2.0.
OAuth 2.0
OAuth 2.0 is one of the most popular authorization frameworks out there.
It is designed to allow an application to access resources hosted by other servers on behalf of a user.
OAuth 2.0 uses Access Tokens and Refresh Tokens.
ID Tokens
Also known as Identity tokens or Profile tokens.
Implements the Open ID Connect protocol, which is built on top of OAuth 2.0.
Authentication
Used to validate that a user is who they say they are.
An ID token will contain information about the name, email, and profile picture of a user.
Client applications can use the ID token to build a user profile to personalize the user experience.
An authentication server that conforms to the OpenID Connect (OIDC) protocol to implement the authentication process issues its clients an ID token whenever a user logs in.
The consumers of ID tokens are mainly client applications such as Single-Page Applications (SPAs) and mobile applications.
link - docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Access Tokens
Implements the OAuth 2.0 protocol.
Authorisation
An access token is a bearer token. If you have the token you can use it.
Allows the bearer of the token to make a secure call to an API server.
Only valid for 1 hour.
When a client application needs to access protected resources on a server on behalf of a user, the access token lets the client signal to the server that it has received authorization by the user to perform certain tasks or access certain resources.
OAuth 2.0 doesn't define a format for access tokens.
Once an access token expires, the client application could prompt the user to log in again to get a new access token.
Alternatively, the authorization server could issue a refresh token to the client application that lets the client "refresh" the expired access token with a new one.
link - docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
Refresh Tokens
Used to obtain a renewed access token.
A refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again.
link - docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
Authorization and Authentication Flows
link - auth0.com/docs/get-started/authentication-and-authorization-flow
Authorization Code Flow with PKCE - Communication is server-to-server between your add-in's web application and the online service. So, it is implemented with server-side code.
link - docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
On Behalf Of Flow - Serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain.
link - docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Implicit Code Flow - Also known as Grant Flow or Client-Side Flow. Communication between the add-in and the online service is implemented with client-side JavaScript. This flow is commonly used in single-page applications (SPAs).
link - docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
© 2022 Better Solutions Limited. All Rights Reserved. © 2022 Better Solutions Limited TopPrevNext