OIDC + Authentik: Which token to give to user for authentication?

OIDC + Authentik: Which token to give to user for authentication?

I am implementing a web service with a front end and back end. Everything but the login endpoint requires authentication. For authentication I use Authentik. However, I have trouble wrapping my head around which tokens to give to the user, given Authentik's configuration options.

Currently, my authentication process works as follows:

1. On login, the user is sent to the OIDC provider's authorization endpoint and comes back with an access_code.
2. Back end sends the access_code to the token endpoint to retrieve the id_token, access_token and refresh_token.
3. Back end sends the id_token and refresh_token to the user and discards the access_token (I only need to know if the email address is a company email, which is already included in the id_token). The id_token and refresh_token are stored as cookies (Secure, HttpOnly, SameSite=strict).
4. Whenever the user makes a request to an endpoint requiring authentication, I check the signature on the id_token, the intended audience (aud) and the expiration time (exp). If those checks pass, I trust the email address in the user-supplied id_token.
5. If the ID token is expired, I use the refresh_token with the token endpoint to get a new id_token and refresh_token.
6. If the user logs out by themselves, I use the revocation endpoint to revoke both the refresh_token and the id_token. Afterwards, the cookies are deleted.
7. If the user needs to be logged out by me (left the company), I remove the user's ability to use their company email with Authentik. Then, the next time the id_token expires, the refresh will fail and the user will not get a new id_token. This means that after one expiration period, the user will be logged out automatically.

I have implemented these steps and the process works quite nicely. I currently do not need to create my own session cookies or sign my own JWTs with a persistent secret, which I would like to keep.

However: Authentik does not provide a way to configure the id_token expiration period. I can only configure that for the access_code, access_token and refresh_token. The lack of documentation on that leads me to believe that I might have misunderstood OIDC.

Could someone enlighten me on this?

EDIT: As a hacky workaround, I've made my backend reject ID tokens that are older than 5 minutes. This is implemented by checking the iat ("issued at") claim. Effectively, my backend now treats ID tokens as having an expiry time of 5 minutes. This perfectly suits my use case. However, I find it confusing that I wasn't able to find a more "proper" solution in OIDC and that I haven't found any guides that highlight this exact problem.