Hey, thanks for the article. I have a question about ID vs. access token in the context of token exchange. I have a SSO scenario where a client SPA web app is going through the OIDC Authorization Code flow with a 3rd party provider, such as auth0, getting back access and ID tokens. I need to take those tokens and on my backend exchange them for an access token generated for the client to access another API. To do this securely I need to verify the user has a valid token from the expected issuer to the expected client, and to identify the user.
I can get all of this from the ID token by verifying the signature, iat, exp, iss, aud, and sub claims. So for this token exchange scenario is it sufficient to rely solely on the ID token?