I followed the basic example here to set up authentication for my app: GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.. By default it uses the implicit flow, which returns an id_token stored in an encrypted cookie. This id_token is used for authenticating subsequent requests to endpoints using the requiresAuth middleware.
My question are 1) isn’t it standard to use the access token for auth instead of the id token? and 2) how can you refresh the id_token with this flow? It seems like you need refresh token, which isn’t provided in this flow.