API Protection by ID Token?What happens if ID tokens issued by external OpenID providers (IdP) are used for API protection? The following diagram is my understanding. A client that has no relationship with the resource server can access APIs of the resource server using an ID token that the client has legitimately obtained in an utterly irrelevant context.The user has granted a permission for the client to get an ID token,
