This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Do we we need to send both access token and JWT to customer application?

Posted on 04-06-2019 07:15 AM
singhabhishek01
New Member
Reply posted on --/--/---- --:-- AM

Hi ,

I want to understand the the role of JWT token in oauth password grant type.

a) user enter login credential to application.

b) application construct a post request for /token api with client id/secret (header)and user id/password(body).

c) APIGEE receives the request validates the client id/secret and send the request to LDAP for user id/password authentication.

d) LDAP valiates the user id/password. APIGEE genetrats the token and send to customer application.

Do we we need to send both token and JWT(jti) to customer application? or only APIGEE token is sufficient ? I understand that we can send JWT as apigee token . My question is that do we need to send both JWT and APIGEE token to customer application?

Solved Solved
0 2 324
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

My question is that do we need to send both JWT and APIGEE token to customer application?

If you wish, you can do that. Usually you want to do that if the tokens carry different information.

Often the JWT is issued by the IDentity Provider (IdP). In fact there is a standard describing a common pattern - it's called Open ID Connect. In that pattern the /token endpoint may deliver an access token as well as an identity token.

The access token is a "bearer token" and acts as a "ticket to ride". Any request that presents that token (in the Authorization header usually) will be checked for authorization based on that token.

The id token is often a packet of information that deacribes the USER, the person who is authenticating.

So you see the access token and the id token - they have different purposes.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Do we we need to send both token and JWT(jti) to customer application?

Which thing is the customer application?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

My question is that do we need to send both JWT and APIGEE token to customer application?

If you wish, you can do that. Usually you want to do that if the tokens carry different information.

Often the JWT is issued by the IDentity Provider (IdP). In fact there is a standard describing a common pattern - it's called Open ID Connect. In that pattern the /token endpoint may deliver an access token as well as an identity token.

The access token is a "bearer token" and acts as a "ticket to ride". Any request that presents that token (in the Authorization header usually) will be checked for authorization based on that token.

The id token is often a packet of information that deacribes the USER, the person who is authenticating.

So you see the access token and the id token - they have different purposes.

Jump to Solution
0 Likes