Seonglae ChoSecurity Separation
- Access Token - Authorization
- Used for API requests, can be refreshed, contains no personal information, only includes authorization
- ID token - Authentication
- Contains sensitive information, used for UI display on client side, has short lifespan and cannot be refreshed
- Refresh Token
In practice, a two-stage verification is used: 1st verification at the Authorizer proxy performs quick validation with Access Token, then 2nd verification at the internal Procedure DB obtains additional application-level authorization information