Should compare sub in access_token and id_token to verify that it is from the same user to prevent that a user can impersonate another user.
dniel opened this issue · comments
Daniel Nord commented
verify both tokens, and check that the sub fields is the same in both.