Authentication with OpenID Connect

[daniil-shadrin-takkt]

I recently started to explore the OAuth 2.0 topic. After trying to make this library work and looking into the library code, some questions appeared. It seems that for authentication only access token is used. I've seen in different sources (docs and courses) that OpenID Connect should be used for that.
I can add openid in SCOPES setting and get the id_token but it would not be used at all.

Does Azure AD allow me to add lots of claims into both access_token and id_token? I've seen this in Optional claims.

Can someone explain why the lib has such implementation?

[JonasKs]

Azure AD uses OIDC whether you want it or not. It even adds more on top of Oauth2 and OIDC in multi-tenant apps.

Access tokens should be used to authenticate towards backends. If you write a JS app you would typically fetch an ID token, then use the ID token to fetch access tokens for each individual backend app you need to send requests to silently in the background. At no point would the ID token be sent to backends.

Read my blog post here to see how it works: https://engineering.intility.com/article/implementing-oauth2-and-openid-connect-in-your-application

Also read this page: https://django-auth-adfs.readthedocs.io/en/latest/oauth2_explained.html

[daniil-shadrin-takkt]

Does it mean that Azure AD combine access token and open id connect token into one? Since you can add even more claims to access token than id_token in the azure app.
I thought they must be 2 different entities. That's why is causes misunderstanding.

[JonasKs]

No, an ID token and and access token is two different things. You can request an access token directly, or request an ID token which later can request access tokens.

[JonasKs]

An ID token should never be used to give someone access to something, it simply identifies the user.