Thanks for creating this library, the integration into my project was a breeze but I was surprised that OpenIDConnect.verify/3 is successful when given an expired token.
Shouldn't the documentation explicitly state that verify/3 only checks the token signature and that it's up to the application to validate the token claims?
I understand that, to some degree, claim validation is an application concern but the OpenID spec lists a handful of required ID Token claims, among which are exp and aud. Wouldn't it make sense for an OpenID Connect implementation to validate those standard claims?
Thanks for creating this library, the integration into my project was a breeze but I was surprised that
OpenIDConnect.verify/3
is successful when given an expired token.Shouldn't the documentation explicitly state that
verify/3
only checks the token signature and that it's up to the application to validate the token claims?I understand that, to some degree, claim validation is an application concern but the OpenID spec lists a handful of required ID Token claims, among which are
exp
andaud
. Wouldn't it make sense for an OpenID Connect implementation to validate those standard claims?