How OpenID over OAuth 2.0 can be trusted?
I am trying to implement "Login with Google/Apple etc…" on a web platform and I can’t wrap my head around how you can trust the response that supposedly comes from the resource server owned by these platforms.
For comparison, w…