You need to validate all ID tokens and access tokens on your server before using them to get access to APIs. For example, your server must verify as authentic any ID tokens it receives from your client apps. Validating the token consists of a series of steps (as described in the OpenID specifications), and if any of these fails, then the request must be rejected.
Rather than writing your own code to perform the verification steps, we strongly recommend using a general-purpose JWT library or Certified OpenID Connect Implementations.
Updated about a year ago
|Parsing the ID token|