oAuth2 Access Token with userinfo

0
votes

We have a little argument in the company on the way to get user info with oAuth2.

the first developer is getting the user info inside the access token with the library spring-security-oauth2 and decode it.

The second developer use open id connect on the top of the oAuth2 with the library Nimbus, In this way you will get the user info from UserInfo Endpoint.

Which way is better parctice? and why to use open id connect if I can get my userinfo without this

Thanks for any help and explanations

1
springauthenticationoauthoauth-2.0spring-security-oauth2

1 Answers

1
votes

An access token - and in fact bare OAuth 2.0 - cannot be used to authenticate the user. It can only be used to retrieve information about a user, which may not be the user that is operating the browser. See: https://oauth.net/articles/authentication/

So if you want to authenticate the user - in a standards compliant way - you need to use OpenID Connect.