TODO: verify that ID token expiration is accurate

[bshaffer]

Because the expiration is inside the JWT for ID tokens, we should verify that this is done correctly, so that ID tokens are automatically refreshed.