To obtain an access token or ID token for a user, we need a Client ID and secret. Using these client credentials, we can initiate an OAuth code flow to let the user authorize our app, and as a result, we get an access token. If we use the right parameters, we also receive an ID token and refresh token. If we look at the tokens we receive, we can see which Client ID they were issued to: The ID token contains an azp (authorized party) and aud (audience) claim, and they both contain the client I...
