Scenario - Legacy application(s) which needs to be authenticated using OpenID connect. We are using keycloak as the IP.
All, I really need is a single authentication mechanism for multiple applications. After authenticating, I also need is the 'user-id' information (claim).
I have the access_token (scope openid). Do I also need an id_token to access the "user-id" information? or DO I need to decode "access_token?
You really need the id_token because only that token tells you who the user is that signed in, where the user signed in to and whether the token was actually issued for your application and not swapped for some other.
The access_token has different semantics: it tells you nothing on its own but could be used to access protected resources. Moreover, the access token could be swapped in by a man-in-the-middle.
