Security Considerations

To ensure your client integration is secure, we recommend the following:

Client should resolve authorization code and exchange tokens at the backend; backend systems must not assume tokens received from the client are valid without validating them—including their intended audience and nonce.
Client should validate the state, nonce and audience parameters received in responses per their availability to the client.

Security Considerations#