Closed gbatalski closed 5 years ago
+1 :)
Voting -1
See https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis
ID Tokens should not be used to gain access to an API. Each token contains information for the intended audience (which is usually the recipient). Per the OpenID Connect specification, the audience of the ID Token (indicated by the aud claim) must be the client ID of the application making the authentication request. If this is not the case, you should not trust the token. Conversely, an API expects a token with the aud value to equal the API's unique identifier. Therefore, unless you maintain control over both the application and the API, sending an ID Token to an API will generally not work. Furthermore, the ID Token is signed with a secret known only to the application itself. If an API were to accept an ID Token, it would have no way of knowing if the application has modified the token (such as adding more scopes) and resigned it.
See discussions here: IdentityServer/IdentityServer3#2015
To summarize, there are lots of applications sending ID tokens to their backends or other trusted components, but the protocols don't suggest doing so.
I think for simplicity's sake it might be good to follow the advice posted by last two commenters, and not support this out of the box. I think as OP suggests "implementing your own interceptor" is the way to go here.
Closing this issue for now. Let us know if there's still reason to re-open it!
Hello Manfred and thank you for this nice library!
My backend expects the id_token is sent within the Authorization header. I've implemented my own interceptor to support this behavior. Are there any reasons speaking against the possibility to choose between token types wich will be sent to backend?
I could propose a PR for this.
Regards, Gena