How OpenID over OAuth 2.0 can be trusted?
I am trying to implement "Login with Google/Apple etc..." on a web platform and I can't wrap my head around how you can trust the response that supposedly comes from the resource server owned by these platforms.
For comparison, when normal username/email and password pair are provided, the correct password is a good enough piece of information to be sure enough that the authentication request was made by the owner of the account.
In the case of OAuth 2.0 with OpenID the only thing that you get is some personal information and an ID, thing which can be known by other platforms with a similar implementation for authentication. Let's say that the database of one of these platforms is compromised, what stops an attacker from doing DNS spoofing or MITM attack and impersonating the resource server and providing me with the same information that the real server would?
In short, how can you trust OpenID when you don't get something that you are sure only you and the resource/authorization server know?
Besides the obvious: SSL/TLS and the JWT signed token?
