One big issue with AWS OIDC is that API Gateway uses the id_token to validate requests, not the access_token as the spec requires. Unless you're doing subscriptions through AppSync, then it does require the access_token, not the id_token. But their own amplify library doesn't realize this, so you have to trick it. Fun stuff to implement on the front end.