TechQA.

Implementing SSO using OpenID Connect and usage of tokens

238 views Asked by At

Scenario - Legacy application(s) which needs to be authenticated using OpenID connect. We are using keycloak as the IP.

All, I really need is a single authentication mechanism for multiple applications. After authenticating, I also need is the 'user-id' information (claim).

I have the access_token (scope openid). Do I also need an id_token to access the "user-id" information? or DO I need to decode "access_token?

access-token openid-connect keycloak google-oauth-java-client
Original Q&A
1

There are 1 answers

0
Hans Z. On BEST ANSWER

You really need the id_token because only that token tells you who the user is that signed in, where the user signed in to and whether the token was actually issued for your application and not swapped for some other.

The access_token has different semantics: it tells you nothing on its own but could be used to access protected resources. Moreover, the access token could be swapped in by a man-in-the-middle.

Related Questions in ACCESS-TOKEN

Related Questions in OPENID-CONNECT

Related Questions in KEYCLOAK

Related Questions in GOOGLE-OAUTH-JAVA-CLIENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions