Remove From My Forums

how does the oidc server know what token type it is

Question
0

Sign in to vote

User1034446946 posted

if id_token access_token and refresh_token can all be JWT's how does the sever determine which one is being used?

I am thinking its a scope but i can't seeanything in the docs.

Saturday, May 30, 2020 2:52 PM

Answers

0

Sign in to vote
User475983607 posted

Access token identify the client typically using claims cached within the token. The secured resource reads the claims and uses the data to authorizes or denies access to the resource.

A refresh token contains information to get a new access token.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Saturday, May 30, 2020 3:45 PM
0

Sign in to vote
User-474980206 posted

Scope controls what claims or access the token is for. You pass a scope when request an access token. The user will be asked to grant the access. when you use the token for an api call, the scope controls what data can be returned.

the minimum scope is to just verify the user.

I don’t know what you mean by trust. The oauth server alway validates a token if it’s an access or refresh. You should really read about oauth, because you seem really weak on the concepts.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Sunday, May 31, 2020 1:18 AM

All replies

0

Sign in to vote

User475983607 posted

I think you misunderstand the fundamentals. A refresh token is used to get an access token from the token server when an access token expires or is close to expiring. An access token is used to access a secured resource which is (generally) not the token server.

Saturday, May 30, 2020 3:03 PM
0

Sign in to vote

User1034446946 posted

i still have the same issue, how would the resource server know its a refresh token and reject it?

Saturday, May 30, 2020 3:09 PM
0

Sign in to vote
User475983607 posted

Access token identify the client typically using claims cached within the token. The secured resource reads the claims and uses the data to authorizes or denies access to the resource.

A refresh token contains information to get a new access token.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Saturday, May 30, 2020 3:45 PM
0

Sign in to vote

User1034446946 posted

but the primary information is going to be the same, iss, aud, and sub, something i just red staded the scope would also have all the access token scopes

so the only way i can see it being different is if the refresh token has an additional scope of refresh (or similar), but there is nothing in the docs that i can find about it. additional claims could be empty in any case so again its not a valiate way to differenciate the two.

Saturday, May 30, 2020 4:02 PM
0

Sign in to vote

User-474980206 posted

The format of the refresh token is not defined. Every oauth server is free to define their own format. The api call to get an access token included the refresh token, and the server knows how to validate the refresh token.

the server knows it’s a refresh token, because it the value of the refresh_token parameter.

Saturday, May 30, 2020 4:09 PM
0

Sign in to vote

User1034446946 posted

so there is an element of trust?

so using the scope isn't a bad idea?

Saturday, May 30, 2020 9:12 PM
0

Sign in to vote
User-474980206 posted

Scope controls what claims or access the token is for. You pass a scope when request an access token. The user will be asked to grant the access. when you use the token for an api call, the scope controls what data can be returned.

the minimum scope is to just verify the user.

I don’t know what you mean by trust. The oauth server alway validates a token if it’s an access or refresh. You should really read about oauth, because you seem really weak on the concepts.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Sunday, May 31, 2020 1:18 AM
0

Sign in to vote

User1034446946 posted

thanks

Sunday, May 31, 2020 10:42 AM

Answered by:

how does the oidc server know what token type it is

Question

Answers

All replies