Hi @moticom
It sounds to me like you DO need an access token.
Using the ID token to identify your user and pull out roles and permissions is appropriate.
However, when you call an API, you need to ensure that the user is authorized for that API (this is a simple yes/no, not involving roles/permissions). This is done via the access token. Each API has its own audience, and a user can call some APIs but not others.
John