What is the difference between id_token and access_token in Auth0

javascript oauth openid jwt auth0
Scott Coates picture Scott Coates · Jul 18, 2015 · Viewed 10.2k times · Source

In Auth0 you can use refresh tokens. In this link, we can see many returned parameters:

lock.showSignin({
  authParams: {
    scope: 'openid offline_access'
  }
}, function (err, profile, id_token, access_token, state, refresh_token) {
  // store refresh_token
});

Apparently, access_tokens can be used to retrieve user profile data. But this appears to be specific to oauth, and I thought auth0 uses openid?

What is the difference between id_token and access_token?

Answer

Eugenio Pace picture Eugenio Pace · Jul 18, 2015

OpenID Connect is built on top of OAuth2.

  • An access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.
  • An id_token is a JWT and represents the logged in user. It is often used by your app.
  • A refresh_token (only to be used by a mobile/desktop app) doesn't expire (but is revokable) and it allows you to obtain freshly minted access_tokens and id_token.

Related questions

How to authenticate with Google via OAuth 2.0 in a popup?

Sorry for a big edit. I am starting over as I am not stating my question correctly. I am trying to write a client side app in HTML5. I do not want it to be hosted on a website. I …

Read More
How can I get an oauth access token in sharepoint 2013?

I have this site here: http://msdn.microsoft.com/en-us/library/jj164022(v=office.15).aspx the text in some part says: The following JavaScript code demonstrates how to make this GET request that returns a JSON representation of all of …

Read More
application that uses OAuth and javascript

I am planning to create an app that uses JavaScript and it needs to use OAuth to authenticate user for a website. Can anyone help me out please? Any sample code? I know about the Google Code Javascript OAuth library …

Read More