Id_token vs access_token: authentication and user data

Hey guys,

So here tokens it is mentioned to Access tokens must never be used for authentication but here access_tokens vice versa and it is confusing.

Also if I try to decode access_token using the given algorithm, it throws an error:
jwt.get_unverified_header(token)JWTError("Error decoding token headers.")

This is the flow I decided to go with, although it seems faulty.

  1. I get id_token and validate it to it’s own respective audience
  2. Upon successful validation I fetch user data from it and allow user to proceed to the backend api

However, this way I never need access/refresh tokens, thus if id_token (which is permanent) gets exposed user data is also exposed permanently.
Correct if I am wrong.

What should I do? Continue using id_token?
Why access_token fails to decode? How else to decode it?
Also please share some actual practices to follow but not this one token-best-practices I have read it in detail.