Konubinix' opinionated web of thoughts

Introduction to OAuth and OpenID Connect


  • External reference:

20210826-Introduction-to-OAuth-and-Opocl OAuth 2.1, OpenID Connect

relying party does not need to check the Identity Token

Because it got it from the back channel in a trusted way.

You need to validate it in case you stored it and get it back (to check it remains the same) or when being given one from a third party.

Identity Token is implementation dependant

You might want to end up using the userinfo endpoint instead.