What happens if ID tokens issued by external OpenID providers (IdP) are used for API protection? The following diagram is my understanding.