There is a lot of confusion about OAuth2 vs OpenID-Connect tokens. The OAuth2 token can sometimes be used incorrectly. The ID tokens are for encapsulating ID of a user. If I have a bearer token, what do I do with it? Nothing prevents the resource from using the access token to connect to other resources.