I can't figure out why you would need an Id token, when you use an access token. I'm not sure if this question arose only because I use both in conjunction with AWS, so I added the AWS tag.
In AWS both tokens contain the cognito ID (basically user ID). In addition to that, the ID Token also contains user name and user email.
This is why I think the ID token is no necessary:
- The additional information (like user name and email) can be retrieved easily from the user DB (Cognito in this case) - that should be rather quick.
- The additionally needed information could simply be put into the Access token at creation time as custom fields.
So: what am I overlooking?
Answer (based on 0Auth)
One of the most common mistakes developers make with an ID token is using it to call an API.
[...] there is no mechanism that ties the ID token to the client-API channel. If an attacker manages to steal your ID token, they can use it to call your API like a legitimate client.
For the access token, on the other hand, there is a set of techniques, collectively known as sender constraint, that allow you to bind an access token to a specific sender. This guarantees that even if an attacker steals an access token, they can’t use it to access your API since the token is bound to the client that originally requested it.
