Access token (and OAuth2 in general) gives no guarantee that the returned identification details (e.g. email) are correct and belong to the user. In fact, I can set a different e-mail on the Resource Server. It’s only a resource, not the assertion (like in OpenID for example).