In Keycloak, when both the Access Token and ID Token contain user information, what is the specific purpose or added value of using the ID Token in applications? Could you clarify scenarios where using the ID Token is essential compared to relying solely on the Access Token?
I’d recommend reading the OIDC spec for information about the standards and use of the ID/Access Token. Final: OpenID Connect Core 1.0 incorporating errata set 2
The access_token is from OAuth, the id_token is from OIDC.
OAuth is about authorization of 3rd party clients to resources in a resource server.
OIDC is about authenticated user identity.
An access_token should not contain user related data (although it’s not forbidden).
The id_token is here to provide standardized and verifyable information about the user itself.
The access_token should (must) be propagated from the client to the resource server, to get access to the resources.
The id_token is not to be forwarded/propagated anywhere else.
Keycloak maps by default much information to access_token, id_token and userinfo endpoint. This is not forbidden, but IMHO not a proper approach. It makes it easier for new developers to get data, but also leads to wrong assumptions. This default configuration should be adjusted in proper production environments.
Other platforms may do this similarly, e.g. EntraID also maps user specific data to the access_token. But this doesn’t mean that this is correct.
1 Like