Deprecate decode_id_token and do not check the validity of the id token when it is retrieved from the SDK. SDK validating the id_token is a slipery slope ... token validation is complex and should be done when appropriate. The fact that ID token comes directly from IdP is sufficient proof to not validate it.
MSAL in particular does not handle sessions. So it should not check the expiration etc the id token. This is the app responsability, as they may associate session lifetime to id token lifetime. Or not.
If there any docs that state that the SDK validates the ID token, update those docs to clarify this is not supported.
Deprecate
decode_id_tokenand do not check the validity of the id token when it is retrieved from the SDK. SDK validating the id_token is a slipery slope ... token validation is complex and should be done when appropriate. The fact that ID token comes directly from IdP is sufficient proof to not validate it.MSAL in particular does not handle sessions. So it should not check the expiration etc the id token. This is the app responsability, as they may associate session lifetime to id token lifetime. Or not.
If there any docs that state that the SDK validates the ID token, update those docs to clarify this is not supported.