security - ID token or /userinfo for Identity assertion -


after authenticating provider, application receive both id token , access token on behalf of user. seems there 2 ways assert user is.

  1. verify id token , read id token.
  2. pass access token userinfo endpoint , read json response.

both seem acceptable avenues, there scenarios in 1 or other should used?

if have both tokens , id token contains info need, can use either way. below few differences came mind:

  • verifying , reading id token can done without accessing oauth2 server (if have certificate downloaded locally), makes faster , there fewer possible errors deal - no network requests.
  • if user info changing often, id token contain obsolete data, it's hardly ever case.
  • access tokens can revoked (id tokens cannot), if need it, job better.

Comments

Popular posts from this blog

ZeroMQ on Windows, with Qt Creator -

unity3d - Unity SceneManager.LoadScene quits application -

python - Error while using APScheduler: 'NoneType' object has no attribute 'now' -