Its pretty clear that access_tokens are for API’s to verify authorization to specific endpoints on a resource and that identity_tokens are for clients only.
In our case we have an API (resource) and a front end client app. The client app authenticates with auth0 and is sent an access_token and identity_token (using the password-realm grant). The front end client will send the access_token when making calls to the API. However our API also needs to know who the user is that initiated the the request for auditing purposes.
We could call the /userinfo endpoint from the API to retrieve this, but that would have to happen for every single request. Would it be considered a bad practice in this case to forward the identity_token to the api?
According to googles oidc standards it is acceptable: https://developers.google.com/identity/protocols/OpenIDConnect (see the “validating an id token” section)