Introduction to OAuth and OpenID Connectfleeting
- External reference:
relying party does not need to check the Identity Token
Because it got it from the back channel in a trusted way.
You need to validate it in case you stored it and get it back (to check it remains the same) or when being given one from a third party.
Identity Token is implementation dependant
You might want to end up using the userinfo endpoint instead.