DockYard / openid_connect

MIT License
66 stars 42 forks source link

OpenID claims validation #35

Open xavier opened 4 years ago

xavier commented 4 years ago

Thanks for creating this library, the integration into my project was a breeze but I was surprised that OpenIDConnect.verify/3 is successful when given an expired token.

Shouldn't the documentation explicitly state that verify/3 only checks the token signature and that it's up to the application to validate the token claims?

I understand that, to some degree, claim validation is an application concern but the OpenID spec lists a handful of required ID Token claims, among which are exp and aud. Wouldn't it make sense for an OpenID Connect implementation to validate those standard claims?

bcardarella commented 4 years ago

We're open to PRs to address this issue. At the moment I am not actively working on the library but am happy to review and merge if you have a fix.