I know openId connect can issue an Id token which can be used by the client(relying party) to authenticate the end-user. But how can it be used to protect the resource server from client impersonation? (I think the question is very similar to Client impersonation in OAuth application with implicit authorization)
Say, there's a SPA(android + webAPI), the client(android app) implemented openid connect implicit flow, and will communicate with resource sever(web api) using access token directly. The app redirects the end user to the openid provider firstly, and gains both the id token and access token. However, there's a malicious app which stole the access token and impersonate the client to communicate with the resource server.
How can the resource server know whether the access token is stole or not without id token?