I have a reverse proxy, configured as the Relying Party of an OpenID Connect identity provider. Then, it delegates the request processing to another web server, exposed on the internet. In order to secure and authenticate this data flow, I thought I could use the RS256 algorithm to sign the ID token and pass it along the request. With this, the second web server would be able to verify the authenticity/integrity of the token without sharing a secret with the identity provider.
This data flow would obviously be encrypted with TLS.
There’s just one thing I’m not sure about: is it fine to use the ID token as a proof of authentication? The signature mechanism is designed to verify the integrity of the token, can it also be used to verify the authenticity? Is there a better practice in order to authenticate/secure this data flow?