According to the documentation (https://auth0.com/docs/tokens/id-token#control-the-contents-of-an-id-token) it is possible to ask for an id_token containing the user's profile, e-mail...
So why would I be calling getUserInfo as shown in the example https://auth0.com/docs/libraries/lock/v11#2-authenticating-and-getting-user-info ?
I am not sure what your scenario is but imagine a Single Page Application (SPA) in combination with a backend API.
TL;DR
the backend API should use the access_token + /userinfo. The id_token is convenience for the frontend application.
Some more details:
Suppose you do the authentication directly in the SPA. This yields and access_token and an id_token.
The id_token can be used by the SPA to show some extra information (nickname, email, ...).
Now what if the SPA wants to make a call the a protected endpoint in the backend API?
A possibility here would be that it passes the access_token in the Authorization header (e.g. Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c see jwt.io)
So the backend should:
access_token. For example using the JSON Web Key Set (https://YOUR_AUTH0_DOMAIN/.well-known)
call /userinfo to fetch the real user information, e.g. Auth0 Get User Info
GET https://<YOUR_AUTH0_DOMAIN>/userinfo
Authorization: 'Bearer {ACCESS_TOKEN}'
You can also pass the id_token (in a custom header or as payload) but the backend should not trust that information (the end user could have forged it for example by changing the id_token and claiming she is a superadmin user instead of a regular user).
