OIDC, how to send both access token and ID token for API calls?

[tamis-laan]

I implemented OIDC with swagger ui:

openapi

components:
  securitySchemes:
    auth0:
      type: openIdConnect
      openIdConnectUrl: https://<name>.auth0.com/.well-known/openid-configuration

index.html

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="utf-8" />
		<meta name="viewport" content="width=device-width, initial-scale=1" />
		<meta
			name="description"
			content="SwaggerUI"
		/>
		<title>SwaggerUI</title>
		<link rel="stylesheet" href="https://unpkg.com/[email protected]/swagger-ui.css" />
		<link rel="icon" href="/docs/favicon.ico" type="image/x-icon">
	</head>
	<body>
		<div id="swagger-ui"></div>
		<script src="https://unpkg.com/[email protected]/swagger-ui-bundle.js" crossorigin></script>
		<script src="https://unpkg.com/[email protected]/swagger-ui-standalone-preset.js" crossorigin></script>
		<script>
		// When browser window is finished loading
		window.onload = () => {
			// Create swagger ui
			const ui = SwaggerUIBundle({
				url: '/docs/openapi.yaml',
				dom_id: '#swagger-ui',
				validatorUrl: null,
				presets: [
					SwaggerUIBundle.presets.apis,
					SwaggerUIStandalonePreset
				],
				layout: "StandaloneLayout",
				oauth2RedirectUrl: window.location.origin + '/docs/oauth2-redirect.html',
				persistAuthorization: true,
				requestInterceptor: function(request) {
					if (request.url.includes('auth0.com/oauth/token')) {
						request = {...request, body: `${request.body}&audience=${encodeURIComponent("https://api.dev.local/")}`,
						}
					}
					console.log(request)
					return request
				},
			})
			// Init oauth
			console.log(ui.initOAuth({
				clientId: "<client id>",
				appName: "My app",
				scopeSeparator: " ",
				scopes: "openid profile",
				additionalQueryStringParams: {audience: "https://api.dev.local/"},
				usePkceWithAuthorizationCodeGrant: true,
			}))
			// Set UI
			window.ui = ui
		}
		</script>
	</body>
</html>

This works and Auth0 gives me back a access token and an id token. I want to use these with my API to both access resources and identify the user (as to know which resources are specific to the user). The access token is already send along with the request in the Authorization header.

Now I also want swagger to send along the id_token. How do I do this?

[iggbom]

Don't, the ID token is intended for the client/app, not the API. The access token should contain the subject so the API should know who the user is.