Access tokens that are passed to the public in an OAuth flow clearly need to be signed using asymmetric encryption (e.g. RSA) so that they cannot be altered by the client to gain access to new scopes, etc.
Id tokens on the other hand are not used to access any resources on the server. So if the client is able to alter the id token they will not be able to gain access to any extra resources. Does that mean that it would be okay to use a symmetric (HMAC) signature with a secret that is shared between the server and a specific client application (like the oauth client_secret for a given oauth client)?