I have a SPA app which is backed by a rest api server.
I use Auth0 for authentication and authorization using the implicit grant flow.
All the examples I read explain that i should send the access token which I receive to the api for authorization purpose. For example :
On the other hand, I read that access token cannot be used as a proof for authentication:
Thread Safe: The problem with OAuth for Authentication. End User Authentication with OAuth 2.0 — OAuth
That means, I cannot trust the sub claim on my access token to be sure that this is indeed the user and not another client that send its access token. Meaning, if i would use facebook as the IDP, another web app could send an access token issued to its use by the user to my server and because access tokens don’t have an aud claim, my server would think that the user is authenticated in my web app. Moreover , I see that google sign in indeed guide the spa to send an id token to the server: Mit einem Back-End-Server authentifizieren | Authentication | Google Developers
So : Should I send both the id token(for authetication) and the access token(for authorization) to my server ?