ID Tokens VS Access Tokens: What's the Difference?

Great video! I especially enjoyed the illustrations created!

cantucodes

I was dumbly sweating off for 2 days trying to get user information from an "access token" but then I saw this video. The clear difference you explained makes so much sense. Thank you for developing this content, auth0.

meetzaveri

Super informative and concise. Excellent! MM

michaelmendoza

Thanks James. Great content as usual. I am a big fan.

Fshhady

the differences were explained very nicely!

dileepsoundar

wow that was a super delicious explanation!! Loved it!!

_just_for_fun_

You have made it to the point! This is an amazingly easly understandable content in the bushes of misinformation on the internet on that subject! You are explaing here much more than just a difference between the tokens! Well done!

dariuszglowacki

Thank you James! I have some questions
What is the use case to have a decentralized authentication or is it preferable ?
And for the OAuth protocol I think the use case for the apps that allows integrations and exposes the API to the public ? Or the use case can be suitable for a single app that have micro-services, and multiple clients like web, mobile apps ?

amjedbouhouch

That was very nicely explained. Thank you!

fieryscorpion

This video is a gem. Thank you so much! 💎

umaodihirin

Thanks for a simple and clear explaination

vidyapai

I have a dumb question. If an access token provides authorization but not authentication, how in the example does Twitter know what user they are posting as? Seems that there MUST be at least an implicit authentication here?

mrgilbe

@OktaDev 1:42 "JAWT" is a shortened form of "JAson Web Token"

shubhang

Fantastic video. Very thorough and at the same time concise.

sehgalomar

Thanks for the awesome video!, but I have a question, what if the APIs are like a BFF (APIs that are tied specifically to your web/app)?, in that case can be "good" to use the ID token as a Bearer?.

If we need to just sent the access token, how can we use custom attributes (or validate custom permissions) if the information is not available in the token itself without continuously fetching and validating the data?.

Thanks!

alejandrombc

Great explanation on the difference between access and id tokens.

I have a question about access tokens in Auth0 (since as of now there is no agreed upon specification)
How does the api receiving the access token know who the requester is (username/email)? The access token proves the user is authorized to request a resource, but has no information who the user is. So how could a remote api determine someones identity information without using the identity token?

Daniel-zlwf

Can we send Id token to backend for getting the user's data?
Note: Sending acces token for api authorisation as well

adysong

I love this video. Very well made, the music and the animations are a great match. I think I know a few people that have or are using access tokens as a form of ID. This is a nuance that I only became aware after watching this video, so I definitely learned something new here. Thanks for making this video!

jesprotech

i am very confused the role of id_token, after the application request to authentication server, the server will return id_token, access_token。in my opinion, application request the backend api will pass id_token to backend sever, and backend will use id_token to judge the user is logged? but according the video, id_token is not passed to api. so id_token returned only tell the application the user is logged a moment? id_token will no any effect when api calling？

edoufke

Nice explanation 🙂 Thanks for the video 🙂

prakashto