In Auth0 you can use refresh tokens. In this link, we can see many returned parameters:
lock.showSignin({
authParams: {
scope: 'openid offline_access'
}
}, function (err, profile, id_token, access_token, state, refresh_token) {
// store refresh_token
});
Apparently, access_tokens can be used to retrieve user profile data. But this appears to be specific to oauth, and I thought auth0 uses openid?
What is the difference between id_token
and access_token
?
OpenID Connect is built on top of OAuth2.
access_token
is useful to call certain APIs in Auth0 (e.g. /userinfo
) or an API you define in Auth0.id_token
is a JWT and represents the logged in user. It is often used by your app.refresh_token
(only to be used by a mobile/desktop app) doesn't expire (but is revokable) and it allows you to obtain freshly minted access_tokens
and id_token
.