No problem 
I also have another 2 questions:
-
Do we really need to validate id token every time we fetch it from secure storage? Isn’t validating it after receving from oidc server enough? Is it because someone can get access to keys in android or keychain on IOS? Follow up question, would you recommend that on web too, when we getting id token from cookies (although key ring that IDataProtection api is using is stored on server so it’s not accesible that easily)?
-
I’m using id token for my authentication so, user is logged in as long as id token has not expired, I guess this is how it supposed to be, but some examples of auth in blazor including microsoft one is using access token expiration date as indicator when to refresh tokens during authentication verificaion (ex. OnValidatePrincipal event), do you have any idea why is that? Is there hidden meaning behind that approach? Microsoft example