I have a implementation where I am using Okta Org to get my id token using implicit flow.
I just did basic implementation. Redirect to particular URL and use java script to grab the token. then use this token later in my app to do bunch of stuff.
Obviously, user can just copy the ID token while Okta is redirecting the web page. This token can be used in Postman, fiddler or others to do things.
I was just wondering, if there is anything can be done to protect that token?