Of course, it just checks that the token was indeed generated by the identity provider. You still need to check that its contents match what you expect for your application.
Issuing a request to another server from my backend would be a non-starter, completely incompatible with any sensible performance or security model.
> it just checks that the token was indeed generated by the identity provider.
This! I have given a talk on JWTs dozens of times and always emphasize that you must do two things:
* verify the signature
* validate the claims (including standard ones like `aud` and non-standard, business specific ones)
You must must must do both to securely trust the token.
This isn't just a JWT thing, either. If you provide a token to an introspect endpoint like what Facebook provides, only the first item is taken care of. You must still inspect the claims.
Libraries will sometimes help with the standard claims, but you're on your own for non-standard ones.
Issuing a request to another server from my backend would be a non-starter, completely incompatible with any sensible performance or security model.