After users sign in, grant permission, and redirect back to my app. I got something like this
```
{"state"=>"***",
"code"=>"yyyy", "id_token"=>"zzzz",
"user"=>"{
....
}"}
```
Which is everything I need to create a user account, but the OAuth flow isn't finished yet. For a normal flow, we would use that code to fetch access token from `https://appleid.apple.com/auth/token`
https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
My question is, should I do that? It seems to add no value to the current situation.
