I am looking at this example: auth0-nodejs-webapp-sample/app.js at master · auth0-samples/auth0-nodejs-webapp-sample · GitHub
My intended application is based on this example and will make use of the ID Token to get hold of the user’s details retrieved during the callback which happend just after the login.
My question is: In this example it does not look like the ID Token’s signature has been verified nor cached (just extracted) in this particular example. Do I need to verify the signature of this ID Token received from the callback or is it imposisble the get an untrusted ID Token in this scenario?