[yukIttEft]

newbie question: in https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_pr... What is the point of step 8/9? Couldn't a wrong password already be rejected in step 5/6?

[sebazzz]

This isn’t about passwords. The token from the identity server (Google in this case), describes the user, including their identity - which you may use as a link to the user data. If I were to forge an token, I could impersonate the user. For this reason, you need to verify the token with the identity server.