9Ara
Does an OIDC ID Token need validation in authorization-code flow?
In the OpenID Connect "authorisation-code flow" what security vulnerability is exposed, if the application relies on claims in the ID Token without validating that token?
For example, Google suggests that validating the token is unnecessary in this flow:
Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid.
