Auth0 has a blog post outlining the differences between access_tokens and id_tokens.
In the post, it mentions a couple reasons why you shouldn’t pass an id_token to an API:
id_tokenis signed with a secret that is known to the client (since it is issued to a particular client). This means that if an API were to accept such token, it would have no way of knowing if the client has modified the token (to add more scopes) and then signed it again.
Putting aside the other reasons to pass an access_token to the API, this part confuses me. Both tokens are issued and signed by auth0, correct? If the application is passing either token, couldn’t either of them technically be changed? I was under the impression that the signing token in both cases is the one that’s available under the Application settings in Auth0’s management counsel.
If that’s the case, what’s the difference between the two from a security standpoint? If it’s the case that a client has access to the signing/private certificate for the id_token, but not the access_token, I’m wondering why provide more access to the id_token.