Can you use supplied ID token to get user information

[blafri]

Hey @fractaledmind thanks for the youtube video on Oauth authentication. I have a quick question about the line below

https://github.com/fractaledmind/oauth-demo/blob/2bf249fabcbe548c05e024fd5fd771df41ddf6ac/app/controllers/provider/authorizations_controller.rb#L26

Since you are requesting the openid scope in you original request to the authorization url, when you exchange your auth code for a token by posting to the token endpoint, the provider should also give you an ID token as well as the access token. Is there any specific reason you use the access token to then make another request to the userinfo endpoint instead of just using the supplied ID token to get the user information and saving the additional request to the server?

Just wanted to get your thoughts on this

[fractaledmind]

Well, the short answer is that this demo, where I build the provider as well, doesn't get into OpenID and I didn't implement that. But, that would be a lovely addition to the demo, if you'd like to take a stab at it!

[blafri]

Hey @fractaledmind I took a stab at it here -> https://github.com/fractaledmind/oauth-demo/pull/18

let me know what you think.