access-token openid-connect keycloak google-oauth-java-client

Implementing SSO using OpenID Connect and usage of tokens

Scenario - Legacy application(s) which needs to be authenticated using OpenID connect. We are using keycloak as the IP.

All, I really need is a single authentication mechanism for multiple applications. After authenticating, I also need is the 'user-id' information (claim).

I have the access_token (scope openid). Do I also need an id_token to access the "user-id" information? or DO I need to decode "access_token?

Solution

You really need the id_token because only that token tells you who the user is that signed in, where the user signed in to and whether the token was actually issued for your application and not swapped for some other.

The access_token has different semantics: it tells you nothing on its own but could be used to access protected resources. Moreover, the access token could be swapped in by a man-in-the-middle.

What is the purpose of a "Refresh Token"?
Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
Revoking a Github app's authorization 404 not found error
The authorization grant type is not supported by the authorization server in laravel
Getting 404 page when using NextResponse.next() in the Next.js 14 middleware
Error APNS device token not set before retrieving FCM Token for Sender ID
How to update a GitHub access token via command line
Wrong Token on the send mail API on microsoft graph
Google API Client "refresh token must be passed in or set as part of setAccessToken"
Request an access token in Azure Active Directory B2C Error
B2C authentication not returning access_token
Why does my HttpOnly Flag Cookie not get saved?
Session expired or invalid on using access token
Do Google refresh tokens expire?
How can i generate a dropbox api access token that doesnt expire?
Azure access token generation from Postman
Facebook Long-Lived Pages Access Token
Is there a way to add roles to ID or Access Token as an optional claim in Entra ID / Azure Active Directory
Can not create and use token to use ACS for a teams user: "CallAgent must be created only with ACS token."
Run JMeter script in AzureDevOps - Bearer Access Token generation
May an OAuth 2.0 access token be a JWT?
403 Forbidden when trying to call Graph API to add calendar event
How to get new access token from refresh token in salesforce?
How scopes are added to token in Azure Entra ID?
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
How to provide custom expiration for each access token in keycloak?
A question around the access token frontend get after authentication
Extract an access token from a Post request and use it in another post request in Postman
Express.js with Azure Managed Identity not able to refresh access token after it expires
Is there way to login automatically using access_token?