Home > Software engineering >  OAuth 2.0 / OpenID Connect - Conceptual question about using ID Token vs using Access Token
OAuth 2.0 / OpenID Connect - Conceptual question about using ID Token vs using Access Token

Time:03-11

I am rather new to programming and authentication/authorization as a whole and want to fundamentally understand what I am doing in my junior job.

One thing that is not fully clear to me is the following:

  • I understand the flow and what the ID-Token is I get with OpenID Connect
  • I also understand that this token very different to the Access Token I get via OAuth authorization. The access token has scope and I can make calls against an API with it.

Now the following (common?) scenario: I have an app (in my case a bot but nvm) that generally requires a Login (authentication wth OpenId Connect) --> redirects user to my IdP and so on --> get an ID Token back

Later on I might want to send an Email on the user´s behalf - so I need to set some authorization with scope and so on in motion.

Now normally in a state-of-the-art app, how is the login window in the authorization step-avoided. OFC, we still need to ask for permission to stuff, but we should not need e.g. user pass again.

Can someone explain to me the basic logic behind such a scenario? What is the core idea behind "remembering" that I already did an authorization and keep that status with further OAuth-based interactions? What is generally the way to make use of a logged-in-session? And also: Managing the session, etc. is normally in the sphere of my app right? What´s part of OAuth and whats part of me as a dev? I am hoping for a general, more conceptual answer :)

Please excuse my maybe inaccurate wording, I am new here :) Appreciate any help!

CodePudding user response:

When the user initially authenticates then the client will receives an access and a refresh token.

Using the access and refresh token, the client can then in the background (even when the user is not logged in) use the access token to call the Email-API whenever it likes to do.

It can do this forever, until the user either stops the access or the refresh token expires.

Then you have a lot of configuration options here to deal with.

  • Related