I am using the sign-in widget on a single page web app. It is working great, but I am trying to make sure I am being as secure as possible.
Is there any benefit or point in grabbing the idToken from the widget and then calling the introspect api to validate the idToken? Or am I just doubling up something that the widget is doing anyways. I was also thinking about every maybe 5-10 minutes calling introspect again on a users session to make sure the token hasn’t been revoked.
Any other security tips are very welcome!