Refresh token so you don't need to log in every 15 minutes (because session token should not be long lived). There isn't much trusting to do with the ID provider. You have to trust that the software works. It's like using the "login with Google" or "login with Facebook" buttons. They also use OIDC. In those cases, you have to trust them with your personal info. With this nostr ID provider, you hold the personal info on your device. We can maybe have some sort of encryption scheme between the nostr app and your phone app to make sure the info doesn't leak in transit. And tbh so far nostr apps have asked for your name, username, maybe an email. You can always enter fake or burner info in your device app so that nostr ID provider gets nothing. Its a very low trust system IMO.
please read up on what a refresh token is for
Lol I know what it's for. I don't think you're following this convo.