I work at a large enterprise and have been challenging our architects on AWS Cognito JWT implementations. The OAuth implementation indicates to never use the ID token when sending to the resource server (https://oauth.net/2/access-tokens/). I have found this same recommendation through other providers as well such as Microsoft, Okta, and Auth0. However, the AWS Cognito team seems to clearly indicate it's ok to use the ID token (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html), "The ID token can also be used to authenticate users to your resource servers or server applications."<p>Our architects are adamant that AWS is the sole authority here, but I want to understand why AWS seems to recommend using the ID token when I can't find recommendations anywhere else.
By offloading the service to AWS, they have the responsibility and liability of taking that on. That doesn't get you completely off the hook however - you still have a brand to protect. It would be worth your time to reach out to your AWS TAM to find out the justifications about this. They are pleasantly forward with a lot of their decisions in my experience.