Is there a way to add user information within id_token?
If not, why should one use it after all?
Oauth 2.0 is an open standard protocol for authorization that enables an application to access certain user information or resources from another web service, without giving the user’s credentials for the web service to the web application.
Oauth 2.0 protocol uses number of actors and grant types to access to resources in another web application.
The following actions are performed by OAuth2 developer to access the resource on behalf of user without user credentials.
Refresh token is sent along with access token with supported grant types, those are, authorization code and resource owner credentials grant flow. This refresh token is used to get new access token upon expiry of access token with in valid authentication session.
Refresh token can’t be used for getting access token with additional scopes (access levels or attributes).
Refresh token can be used for an access token same equal or lesser value of scope then the original access token request.
Access token can be used to access protected resource. While client access protected resource valid (not expired) access token should be passed as bearer token part of authorization header. This is a popular approach of accessing resource server that is protected resource.
In order to give access resource server/ rest service end will validate the access token with OAuth2 server who issued this access token and get the scope information what information can be disclosed or given access.
sub: user uid
iss: issuer url
iat: time stamp when this token issued
aud: Audience for whom this token is issued, value is clientID
exp: expiry time when the token will expire