I'm developing a custom Authentication Socialite ADFS Provider using OpenID Connect: Authentication Flow.
Since I have a TLS connection between the client App and the Authentication server that issues the token, what is the point of verifying the access token signature? From my perspective, the connection is already authenticated with integrity.
The keys I would use to verify the signature are exposed on a .well-known endpoint. Given the context of a compromised auth server, attackers could simply replace the server keys with their own, so I'm really not sure about the benefits of the signature in this case.
