Closed lkgarrison closed 1 month ago
Ping @isamauny - do we need more clarity in the spec here? My understanding was that the openIdConnectUrl
(such as https://meechum.netflix.com/.well-known/openid-configuration) was used in place of the type: oauth
fields to obtain the necessary oAuth2 configuration (flows, scopes etc) to connect with the described API. Though I'm not sure on the specific question of access_token
vs id_token
posed above.
Whether the consumer should be sending an access_token
vs an id_token
seems like an important part of the spec - can anyone comment on whether OASv3 can/does tell the consumer which token type should be sent to the API?
Hi there,
The problem is complex (is the OpenID Connect Provider also an OAuth Authorization Server for the API? Are the access token opaque tokens or JWTs? etc), but in short id_tokens are JWTs intended for Client Applications use, not for Resource Server (API) use.
id_tokens are there so that the Client Application can authenticate the end-user, they contain potentially sensitive information about the end-user that you as the Client Application developer/owner might not be allowed to transmit to the Resource Server (the API).
So don't send id_tokens but access_tokens to the API. The API can then invoke the token introspection endpoint to get information about the end-user and the scopes the client application requested.
Hope it helps,
Phil
Thanks for the detailed reply Phil. It would be great to see this guidance appear within the spec itself to help eliminate confusion for API consumers.
Yes, it would be helpful to include this guidance specs. This is an important aspect that is often not understood.
OIDC and OAuth 2 follow the same convention: to make a call to an endpoint (i.e., to access an API), you need to provide the access token.
The ID token is for identity, not for access. It essentially represents who you are, whereas the access token is the actual key to open the door.
The identity provider will provide you with both the ID token and the access token (and sometimes a refresh token). In most cases, if you request only the ID token, you cannot use it to access the API
With the addition of the openIdConnect security scheme object type in v3, I find the spec ambiguous on whether the API consumer should be sending an
id_token
or anaccess token
to the API.From my understanding, this may not have been an issue in v2 since there was only
oauth2
instead ofoauth2
andopenIdConnect
. Since OpenIDConnect flows can provide both id tokens and access tokens, which token type should be sent to the API? Does specifying an auth type ofopenIdConnect
imply that anid_token
should be used, whileoauth2
implies that anaccess_token
should be used? If so, I think this information should be explicit in the spec instead of implied. If not, could you comment on whether or not consumers should always be sending anaccess_token
for bothoauth2
andopenIdConnect
security scheme types?