Closed ryanomor closed 3 years ago
Hi, @ryanomor
The ID Token should be verified in your server, instead of from your client. When delivering the ID Token to your server, your server should take the responsibility to verify it against LINE's server to get the result. It is not a client behavior, so there is no necessary to have a verifyIDToken
method in the SDK.
Furthermore, if you are only intend to use the ID Token in your client app, there is no need to verify it, since the verification process is already built-in in login process. So it should be just safe to use it in place. However, again, if you have to send it to your server, it is not safe for your server to trust it, and you need have your server to call the verify ID Token API before using the token actually.
Hi @onevcat thanks for the explanation. Since the verification process is already built-in to the login process, then it shouldn't be a problem. I was planning on decoding the payload to get the user's info, but wanted to make sure the ID Token was verified before doing so.
Is it a security issue? Yes
If you believe you have discovered a vulnerability or have an issue related to security, please DO NOT open a public issue. Instead, send us a mail to dl_oss_dev@linecorp.com.
What did you do?
What did you expect?
What happened actually?