What is an Access Token?
An Access token is a Bearer token that you will have to add in all request headers to be authenticated as a concrete user.
Resource Link: https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly/25843058
What is an ID Token?
An ID Token is a JWT (JSON Web Token), that is, a cryptographically signed Base64-encoded JSON object. Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid. If your server passes the ID token to other components of your app, it is extremely important that the other components validate the token before using it.
Since most API libraries combine the validation with the work of decoding the base64 and parsing the JSON, you will probably end up validating the token anyway as you access the fields in the ID token.
An ID token's payload
An ID token is a JSON object containing a set of name/value pairs. Here’s an example, formatted for readability:
Resource Link: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
How can we retreive User info from Access Token or ID Token?
Answer is available in this link: https://www.oauth.com/oauth2-servers/signing-in-with-google/verifying-the-user-info/
Resource Link:
An Access token is a Bearer token that you will have to add in all request headers to be authenticated as a concrete user.
Resource Link: https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly/25843058
What is an ID Token?
An ID Token is a JWT (JSON Web Token), that is, a cryptographically signed Base64-encoded JSON object. Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid. If your server passes the ID token to other components of your app, it is extremely important that the other components validate the token before using it.
Since most API libraries combine the validation with the work of decoding the base64 and parsing the JSON, you will probably end up validating the token anyway as you access the fields in the ID token.
An ID token's payload
An ID token is a JSON object containing a set of name/value pairs. Here’s an example, formatted for readability:
{
"iss": "accounts.google.com",
"at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified": "true",
"sub": "10769150350006150715113082367",
"azp": "1234987819200.apps.googleusercontent.com",
"email": "jsmith@example.com",
"aud": "1234987819200.apps.googleusercontent.com",
"iat": 1353601026,
"exp": 1353604926,
"nonce": "0394852-3190485-2490358",
"hd": "example.com"
}
Resource Link: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
How can we retreive User info from Access Token or ID Token?
Answer is available in this link: https://www.oauth.com/oauth2-servers/signing-in-with-google/verifying-the-user-info/
Resource Link:
No comments:
Post a Comment