I figured out what I was doing wrong. I was following this guide on how to use auth0 with vue.js and django, and with that implementation, I only had access to the access_token on the server, while all interesting user data is in the id_token.
I still have some questions as to what’s the best practice on how to use the information in the id_token. At the moment, I’m just decoding it on the front end, but what if I need to know the user’s email, for example, on the server. How should I retrieve it, since all I have at the moment is the user’s sub?
I’m sure from the questions it’s obvious I’m new to this, so thanks for any help.
The id_token represents authentication and is an optimization in OIDC for the /userinfo endpoint. This token is meant to be consumed by the application and can contain whatever information your client/application needs to know about the authenticated user. As mentioned this is an optimization so the access_token will contain the scopes to retrieve most information in the id_token by making a call to the /userinfo endpoint when sending the access_token as an authorization header.
The access_token represents an authorization policy for a given resource owner (in your case this is the user). The access_token typically communicates the user via the sub claim, however since this is the Auth0 user if customers often want to key the user in some other property like email address. You can do this using a rule by adding a custom claim to the access token. This is considered fine.
One more note worthy point is to make sure the client never inspects the access token.