Home > Software design >  Does app server use jwt id token for user identification or is the jwt id token meant to be sent to
Does app server use jwt id token for user identification or is the jwt id token meant to be sent to

Time:02-07

Oauth can be used for authentication, authorization and delegation. The Oauth flow eventually results in the the app server receives an access token (and refresh token) and a jwt ID token (openidconnect).

The app server can use the access token to pass it to the resource server to access resources on behalf of the user (delegation).

Does the app server pass the Jwt id token to the resource server to inform the resource server about who the current user is? Or does the app server use the jwt id token to authenticate the user to allow the app server to know who the current user is?

CodePudding user response:

By the specification, the app server should not pass the id_token to anything else.

The data provided to the Resource server should be determined on the scopes passed to the scopes passed to the Authorization server and contained within the access_token.

You could send the access_token to the Resource server and then the resource server call the userInfo endpoint.

Remember this has to do with who the end-user has authorized to receive what data.

There is a rather lengthly discussion on these topics at https://github.com/IdentityServer/IdentityServer3/issues/2015

CodePudding user response:

The ID token only proves that the user is authenticated and provides the user 's profile data. It does not contains any information that can prove that the user really confirms the resource server is allowed to do certain actions on his resource (i.e no OAuth2 scope).

So just passing the ID token to the resource server cannot help it to make the authorisation decision. Even though the resource server may use the ID token to find out what the user is , and then find out what permission does he has , but it still cannot prove the the user really confirm to delegate the app server to do certain actions on his resource. (i.e. I have permission to do something does not mean that I agree you to do it on behalf of me.)

So always pass the access token to the resource server for making authorization decision.

You can also refer to this blog post which also answer your question.

Page link:https//www.codepudding.com/Softwaredesign/290906.html

Prev:Java Servlet/JSP - can't access session attribiutes
Next:React protected route not redirecting to children when authorisation finished
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding