So I’ve read this page top to bottom and am still confused about the separation of concerns between ID and access tokens.
That page clearly states “Access Tokens must never be used for authentication”. My question is: “Can I use access tokens for authentication? ”
I want to pass the access token to my (first-party) backend API. I don’t need any information about them except their User ID. They way you make it sound, I’d need to send both the id_token and access_token to my backend: one to authenticate, one to authorize. Do I need to do that? Or can I rely on the access_token to authenticate the user? In that case, can you take this terribly over-reaching statement out of the docs?