Major Description
Right now the provider does not provide any way to verify the relying party, only the user and token.
Being able to limit access to specific clients only would straighten security and reduce the impact of a stolen access token.
Even if it's not mandatory in the core OIDC protocol, it's becoming more and more the norm in OIDC providers.
