Scenario - Legacy application(s) which needs to be authenticated using OpenID connect. We are using keycloak as the IP.
All, I really need is a single authentication mechanism for multiple applications. After authenticating, I also need is the 'user-id'
information (claim).
I have the access_token (scope openid
). Do I also need an id_token
to access the "user-id" information? or DO I need to decode "access_token
?
You really need the
id_token
because only that token tells you who the user is that signed in, where the user signed in to and whether the token was actually issued for your application and not swapped for some other.The
access_token
has different semantics: it tells you nothing on its own but could be used to access protected resources. Moreover, the access token could be swapped in by a man-in-the-middle.