try:
            # Decode the JWT and raise an error if the sig is invalid.
            # Make sure to specify the expected algorithm to prevent attacks
            # that used an RSA public key as an HMAC secret key.
            id_token = JWS().verify_compact(