I know that openId connect can issue an identifier token that the client (relying party) can use to authenticate the end user. But how can it be used to protect the resource server from impersonating the client? (I think this question is very similar to impersonating a client in an OAuth application with implicit authorization )
Let's say there is SPA (android + webAPI), the client (Android application) implemented an openid connect implicit stream and will communicate with the resource server (web api) using the access token directly. The application first redirects the end user to the openid provider and receives both the token and the access token. However, there is a malicious application that stole an access token and impersonated a client to communicate with a resource server.
How can a resource server know if an access token is stolen or not without a token?
source
share