Open ID Connect - What token is best to be used for authentication

Question

I am trying to implement open id connect authentication for me system.

Overview on my system

1 - Mobile application, Cloud, And server.

2 - user enters credentials in the mobile client,and the client sends the necessary token to the cloud.

3 - Cloud will work as a proxy and send the token to the server and the server will authenticate the user.

For such a scenario, What should be the ideal token for authentication? ID Token or Access Token?

is there any specification or reliable source that mentions the best practice / standard on choosing the right token?

I'am trying to work with ID Tokens and i came across this issue - Open ID connect for native applications, i need get a valid ID token without prompting the user after the initial authorization?

Answer 1

Access token is an opaque sequence that allows its holder to call on an API with a given set of permission for a given period of time.

ID Token contains a brief details about the user and some metadata about the token to which it is attached.

A mobile application that works with an identity provider supporting openid connect would use an hybrid flow with either 'id_token' or 'id_token token' as the response type.

I believe that in your case the questions I would ask are:

1. What are the claims the id_token of the auth endpoint in this specific implementation contains? Is it only the subject?
2. Is the information in the token_id enough for the mobile application? What user info it needs on top of the user identifier?
3. Is the application expected to make subsequent authenticated calls on the identity provider server api?

Eyal