openid-connectaccess-tokenpingoktaisam

Should we compare 'sub' claim in Access Token and ID Token?


If we get Id token and access token like below in an OIDC flow:

Id token:

{
 "iss": "https://server.example.com",
 "sub": "24400320",
 "aud": "s6BhdRkqt3",
 "nonce": "n-0S6_WzA2Mj",
 "exp": 1311281970,
 "iat": 1311280970,
 "auth_time": 1311280969,
 "acr": "urn:mace:incommon:iap:silver"
 "amr": ["mfa", "pwd","otp"]
}

Access token:

{
    "iss": "https://cas.nhs.uk",
    "sub": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]",
    "aud": "https://provider.thirdparty.nhs.uk/GP0001/STU3/1",
    "exp": 1469436987,
    "iat": 1469436687,
    "reason_for_request": "directcare",
    "requested_scope": "patient/*.read",
    "requesting_system": "https://fhir.nhs.uk/Id/accredited-system|[ASID]",
    "requesting_organization": "https://fhir.nhs.uk/Id/ods-organization-code|[ODSCode]",
    "requesting_user": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]"
}

Is it a valid assumption that the 'sub' claim from Id token should match with the 'sub' claim in the Access token? Or are they both separate representations?

Do we even perform such validations at resource server to make sure both of them form a pair and are issued for the same user session?


Solution

  • Per Okta's documentation, the 'sub' claim in the access token is, by default, either the user's ID (if using an OAuth flow with a user scope available, like Authorization Code flow) in Okta OR the application's client ID (if using Client Credentials flow) in Okta. However, if you are using a custom authorization server, the value for 'sub' can be configured.

    Similarly, the 'sub' claim in the ID token will be the user's ID in Okta. Unlike the access token, this value cannot be modified as OIDC standard requires that this value be locally unique within the issuer.

    Why would your resource server interact with the ID token? ID tokens are used for Authentication use cases, while access tokens are used for Authorization use cases, as mentioned here: https://developer.okta.com/docs/guides/validate-access-tokens/go/overview/#access-tokens-vs-id-tokens. If you are looking to protect a resource server with OAuth tokens, you will want to rely on the access tokens.