I'm writing an Open ID Connect Provider in Rails, basically refactoring this example Here.
My question is - do ID Tokens need to be persisted on the server at all? If I'm just signing the ID Token and sending it to the RP, can't I just generate the ID Token when the RP asks for it (such as with an idtoken response type in the request) and not worry about saving it in a database on my end? Basically use a plain old ruby object for the IDToken rather than an ActiveModel object.
It seems to me that once the RP receives an ID Token, they use it to get information about the Resource Owner and won't send it back to the provider like an access token. Or am I missing something here and I SHOULD be saving the ID Tokens in the provider's db?
I know Nat Sakimura explains here that in the
code flow of OAuth / OIDC, you should save the ID Token when passing the authorization code back to the RP but I feel like I could just generate the Token when they send the code back and ask for the access token (along with the id token).