What is intent of ID Token expiry time in OpenID Connect?

Question

In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to

Answer 1

TLDR;

Validate the ID token before trusting what it says.

More Details

What is intent of ID token expiry time in OpenID Connect?

The intent is to allow the client to validate the ID token, and the client must validate the ID token before operations that use the ID token's information.

From the OpenID Implicit Flow spec:

If any of the validation procedures defined in this document fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.

To corroborate that, Google's OpenID Connect documentation says this about ID token validation:

One thing that makes ID tokens useful is that fact that you can pass them around different components of your app. These components can use an ID token as a lightweight authentication mechanism authenticating the app and the user. But before you can use the information in the ID token or rely on it as an assertion that the user has authenticated, you must validate it.

So, if our client application is going to take some action based on the content of the ID token, then we must again validate the ID token.