difference between id token and access token
ID Token and Access Token: What Is the Difference? 1
Should I use the ID token or the access token? In the case of ID and access tokens, they have clear and well- defined purposes. Using the wrong token can result in your solution being insecure.
What Is an ID Token? An ID token is an artifact that proves that the user has been authenticated. ID token is a proof of the user’s authentication. An ID token is encoded as a JSON Web Token (JWT), a standard format that allows your application to easily inspect its content, and make sure it comes from the expected issuer and that no one else changed it. The ID token is not encrypted but just Base 64 encoded. First, it demonstrates that the user has been authenticated by an entity you trust (the OpenID provider) and so you can trust the claims about their identity.
What Is an Access Token? The access token is the artifact that allows the client application to access the user’s resource. In the OAuth 2 context, the access token allows a client application to access a specific resource to perform specific actions on behalf of the user. Scopes are a mechanism that allows the user to authorize a third-party application to perform only specific operations.
What Is It NOT Suitable For? ID token will not have granted scopes (I know, this is another pain point). As said before, scopes allow the user to restrict the operations your client application can do on their behalf. Those scopes are associated with the access token so that your API knows what the client application can do and what it can’t do. The access token should not be inspected by the client application.