Skip to main content

FAQs

What is the difference between an Access Token and an ID Token?

ID Token: Part of the OIDC specification, will always be a JWT. A user has been authenticated, and the token contains additional claims regarding their identity (e.g. given_name, family_name, etc.). Should not be used in calls to an API.

Access Token: Part of the OAuth specification, can be a string with any structure (e.g. opaque string, JWT). The client app has been authorized, and the token can contain additional claims regarding the scope of the application's permissions (e.g. create:resource, read:resource, etc.). Should be used in calls to an API.

Why isn't my access token a JWT?

When implementing an authorizer for your API, you may notice that many examples expect the access token to be a signed JWT and will call the issuer's JWKS endpoint to verify the signature. In the case that your access token is not in the form of a JWT, ensure that you've added the audience claim during the initial OIDC exchange. This audience will indicate the resource that the token is intended to gain access to, and adding it should compel the server to return a verifiable JWT.

Why do I get an error when configuring an audience for my OIDC application?

If you get an error when setting an audience (either when passing from the client, or configuring in the OIDC application on IDaaS), ensure that you have that audience defined as a valid resource server for that application. For IDaaS, this involves adding a new entry to the APIs/URLs list. This can be accessed from the IDaaS Administration Portal from the top left hamburger menu at Security→Authorization.