Forwarding identity_token to resource server.

Its pretty clear that access_tokens are for API’s to verify authorization to specific endpoints on a resource and that identity_tokens are for clients only.

In our case we have an API (resource) and a front end client app. The client app authenticates with auth0 and is sent an access_token and identity_token (using the password-realm grant). The front end client will send the access_token when making calls to the API. However our API also needs to know who the user is that initiated the the request for auditing purposes.

We could call the /userinfo endpoint from the API to retrieve this, but that would have to happen for every single request. Would it be considered a bad practice in this case to forward the identity_token to the api?

According to googles oidc standards it is acceptable: OpenID Connect  |  Authentication  |  Google Developers (see the “validating an id token” section)


As it has been more than a few months since this topic was opened, and there has been no reply or further information provided as to the existence of the issue, we are closing this topic. Please don’t hesitate to create a new topic if this issue is still present, we would be happy to work with you to help find a resolution.