0

I am pretty new with these protocols, and I am having some trouble understanding something. I am currently working on an application which API and Frontend is mine, I use azure identity platform to receive the tokens on the clientside and send the token to the server that validates the token using passport-azure-ad bearerStrategy. (I have my app registration for that purposes ofcourse). The thing that I don't get, is that I missed correctly used the tokens I received from azure in my client and sent the ID Token to my API, it verifes it as a valid one and user is authenticated to perform the request sent. But, as I read here https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens, and in any other article about oAuth2 and openID, ID tokens are for UX stuff and client, while I should have used the access token in my request to my API. But howcome the ID Token is also verified in my API? It makes no sense for me, or am I missing something?
And if so, is there any vurlnabilty in using Id Token as I did? Thank you!

Shlomo Levi
  • 63
  • 1
  • 8

1 Answers1

1

APIs should first validate the JWT access token, to check these fields have allowed values. An ID token will then fail the audience check.

  • JWT signature
  • Not expired / valid at this time
  • Issuer (a Microsoft ID)
  • Audience (eg api.mycompany.com)

Access tokens have scopes, whereas ID tokens do not. Every API endpoint should validate the received scope, eg to ensure that it has received the right type of token. This will also ensure that the API does not accept ID tokens.

So although some API tech stacks accept ID tokens, making the standard checks will ensure the right behavior. And the real API authorization is then done using claims, to apply your business rules.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • This now makes a lot of sense, thanks! But still, in case my API has one restriction in terms of auth, user is authorized or user is not, meaning I do not have scopes and I don't really need to validate this claim. The ID token will succeed all my checks then, aud claim is the client id which will pass the auth check, so is there any problem with using the ID token? (not in terms of purposes of the token which I now understand, but in terms of practical vurnbilty) Thank you! – Shlomo Levi Apr 29 '22 at 09:59
  • 1
    Access tokens have a short expiry. eg 30 minutes, whereas an ID token just informs the app how authentication occurred. Its expiry is not used but could be longer than it should be. Get in the habit of sending access tokens to APIs. If there are problems with that, update your question and I'll update my answer. – Gary Archer Apr 29 '22 at 12:34