Hey @Zhiyuan-Amos,
Thank you for reading my article!
To answer your question, security depends on specific scenarios and if you feel the ID token is enough to make authorization decisions in your first-party scenario, that’s fine.
At this point, my additional concern in this first-party scenario is related to token management. I mean, in the scenario you describe, the ID token is issued to the SPA, which uses it to make authorized requests to the API.
SPAs run in an uncontrolled environment (browser + user’s device), which is more subject to token attacks than a server environment.
Since you have control over your API, why expose the ID token on the SPA? If you want to guarantee more security in a first-party scenario like yours, I would consider applying the Backend for Frontend pattern. This allows your Backend/API to negotiate an ID token, which is never sent to the SPA, and the protected communication between your SPA and the Backend/API relies on traditional cookies.
I hope this suggestion can help.