Understanding the Difference between ID token and Access token Azure AD is key to mastering authentication and authorization in Azure Active Directory. ID tokens verify user identity, while access tokens unlock resource access. Let’s break it down.

What is an ID Token?

An ID token is a JSON Web Token (JWT) issued as part of the OpenID Connect (OIDC) protocol, which Azure AD uses for authentication. Its primary purpose is to prove that a user has been authenticated and to provide information about the user to the client application.

• Purpose: Authentication (verifying “who” the user is).
• Audience: Intended for the client application (e.g., a web or mobile app) that requested the token.
• Contents: Contains claims (key-value pairs) about the user, such as:
• User’s identity (e.g., sub or oid for a unique identifier).
• Name, email, or other profile information (if requested via scopes like profile or email).
• Issuer (iss), audience (aud), and expiration time (exp).
• Usage: The client application uses the ID token to confirm the user’s identity and personalize the user experience (e.g., displaying the user’s name).
• Not for APIs: ID tokens should not be used to access APIs or resources, as they are not designed for authorization.

What is an Access Token?

An access token is a security token issued as part of the OAuth 2.0 protocol, which Azure AD uses for authorization. Its primary purpose is to grant the client application permission to access protected resources (e.g., APIs) on behalf of the user.

• Purpose: Authorization (determining “what” the user can do).
• Audience: Intended for the resource server or API (e.g., Microsoft Graph, a custom API).
• Contents: Contains claims that specify:
• Permissions (scopes) granted to the client (e.g., User.Read for Microsoft Graph).
• The resource it’s meant for (via the aud claim, which matches the API’s identifier).
• Issuer, expiration time, and sometimes roles or group memberships (if configured).
• Usage: The client sends the access token in the Authorization header (as a Bearer token) to an API to access protected resources.
• Opaque to Clients: While often a JWT in Azure AD, the client should treat it as an opaque string and not attempt to parse it. The API validates it.

Difference between ID token and Access token azure ad

User Signs In:

• A user logs into a web app via Azure AD using OIDC.
• Azure AD issues an ID token to the app, containing the user’s identity (e.g., sub, name).
• The app uses this to display “Welcome, [User Name]”.

Accessing an API:

• The app also requests an access token with scopes (e.g., https://graph.microsoft.com/User.Read).
• The app sends the access token to Microsoft Graph API to fetch the user’s profile data.

Token Flow:

• The ID token stays with the client app and isn’t sent to the API.
• The access token is sent to the API, which validates it and grants access based on the scopes.

In summary, grasping the Difference between ID token and Access token Azure AD is vital for building secure and efficient applications within the Azure ecosystem. The ID token focuses on authenticating a user’s identity for the client, while the access token ensures authorized access to resources such as Microsoft Graph or custom APIs.

By using each token appropriately, you can enhance security and avoid common pitfalls. Whether you’re developing with Azure AD, keep this distinction in mind to fully leverage its capabilities!

Follow us for the latest updates and exclusive content!