Hi,
As per the below docs :
https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
A validation of a id__token should be same as validating an access_token. Which means that an id_token should be signed. But , when an id_token is issued by Identity Experience Framework ( after user logs in) then that id_token does not contain any signature.
Please explain the ambiguity between the docs and actual functionality..
One more reference : https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens ... which says "To validate an id_token or an access_token, your app should validate both the token's signature and the claims"
Thanks!


