ID token you obtained did in fact come from the service and not an attacker. With this in mind, and I know it seems unsafe at first, it’s okay to decode the ID token without validating it. Even Google says so.https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo...