Hi @James.Morrison - yep I am using that flow. So you are suggesting option 1 below? Or could either approach be used? It doesn’t matter to me which I go with, I’m just trying to understand if there are any concerns with either of the approaches and/or if any should be avoided.
- validate & extract ID token in client mobile app - then send just the specific fields (username, email) to my API via an http request (pass those fields as query string parameters, or in the request body, etc…)
vs…
- pass entire ID token to my API (in the request body?), then validate & extract within the API logic.