elf-pavlik
commented
3 years ago @acoburn answered it on mailing list thread linked above
This is a good question. In your message you noted that the two tokens have a different aud (audience) claim, which is crucial here.
Under OIDC, an ID token is for use by a client application. That client application may use that token to determine the user's name, profile image, etc. The OIDC specification requires that this token be structured as a JWT so that a client can rely on a single mechanism for parsing/validating that token. Notably, the aud (audience) claim in an ID token is the client_id. In other words, an ID token is for the client and should not be used elsewhere. And an ID token should definitely not be used for resource access.
The access token, on the other hand, is for use with a resource server. A client application should treat an access token as opaque (even though, under Solid, it is structured as a JWT). Here the aud (audience) claim is "solid" which indicates that the token can be used with a Solid resource server.
Creating this github issue as a pointer to https://lists.w3.org/Archives/Public/public-solid/2020Oct/0000.html