OAuth 2 access_token vs OpenId Connect id_token
Another angle to provide an answer:
id_token
- An id_token is a JWT - make note of that!
- It contains claims about the identity of the user/resource owner
- Having a valid id_token means that the user is authenticated
access_token
- An access_token is a bearer token
- A bearer token means that the bearer can access the resource without further identification
- An access_token can be a JWT (see Appendix point 1.) or opaque
If you want to read more: Types of tokens in oidc and oauth
access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.
id_token is a JWT and represents the logged in user. It is often used by your app.
is it possible to use both the access_token and the id_token for accessing the protected resources ?
Not completely, first, you need to use id_token to log in,
second, you will get a accessToken,
last, use accessToken to access data.
Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. ;-)
The id_token is used to identify the authenticated user, e.g. for SSO. The access_token must be used to prove access rights to protected resources, e.g. for the userinfo endpoint in OpenId Connect.