I read a little bit about OAuth and OIDC protocols. And there is this concept I find a bit hard to understand: ID token is meant to be read by the application client while the access token is meant to be read by the API.
But it doesn't stop there, I also read stuff like ID token is for the front-end and the access for the back-end.
For me it's confusing, e.g: I created a web app using .net, front and backend. When I'm logging in, the client has both, ID and access tokens.
Also, access token is sent to the server that client/front does not see in order to prevent hackers to steal the token.
It seems obvious for some but I can't understand it very well since both tokens go through the client first. (I'm just talking about the pure fundamentals, not the split token or phantom token or anything like that)
Can someone enlighten me on this matter please?
The ID token's main purpose is to allow the client to create the user cookie-based session. After that, the ID token has no purpose; the token typically has a very short lifetime, like 5 minutes in some setups. The ID-token typically describes who is authenticated and claims/facts about the user. In theory the client can discard the ID-token after it has created the local session.
The client, typically also receives an access token that it can use to access backend APIs. The client can also ask for a refresh token to automate the renewal of the access token when it expires.