What is intent of ID Token expiry time in OpenID Connect?

Question

In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to

Answer 1

It is the same intent: you can't use the id_token after it is expired. The main difference is that an id_token is a data structure and you won't need to call any servers or endpoints, as the information is encoded in the token itself. A regular access_token is usually an opaque artifact (like a GUID).

The consumer of the id_token must always verify the (time) validity of it.

I'm not 100% familiar with IS, but I would guess it is a convenience field. You should always check the exp claim.

Expiration is just one of the validations. id_tokens are also digitally signed and that is also a validation you must perform.