Let me preface this by saying I am using Google Cloud Endpoints Framework in Java (Which is supported by auth0 and Cloud Endpoints). In this framework the JWT Token that is passed must contain an email claim , if it does not then the backend doesn’t get called. Unfortunately the access_token that auth0 provides does not have a email claim. I could add a namespaced email claim to this token using rules however I don’t have access to change Googles codebase which they are hosting so it would never pick up this custom claim.
Whilst I could send a id_token which contains a user and this authenticates correctly I would like to know why you recommend against it.
I see the main argument is that
id_tokenis signed with a secret that is known to the client (since it is issued to a particular client)
However as my client or application is a SPA which uses PKCE I don’t believe the client would have knowledge of the secret. If this is the case, then why can I not provide the id_token to authenticate?
In the google doc I beleive this is what it suggests Authenticating users | Cloud Endpoints Frameworks for App Engine Notice they say to set the audience to check for to be the client ID - not the custom API.