Verifying ID Token

[ryanomor]

Is it a security issue? Yes

If you believe you have discovered a vulnerability or have an issue related to security, please DO NOT open a public issue. Instead, send us a mail to dl_oss_dev@linecorp.com.

What did you do?

According to the LINE documentation, it is important to verify the id token. https://developers.line.biz/en/reference/line-login/#verify-id-token

What did you expect?

I was expecting a built in method that handles this verification. Just like how there is a verifyAccessToken method for access token verification.

What happened actually?

If there is a reason for this, could there be an explanation in the documentation why there is no method for verifying the id token? Otherwise, will there be id token verification in the future?

[onevcat]

Hi, @ryanomor

The ID Token should be verified in your server, instead of from your client. When delivering the ID Token to your server, your server should take the responsibility to verify it against LINE's server to get the result. It is not a client behavior, so there is no necessary to have a verifyIDToken method in the SDK.

Furthermore, if you are only intend to use the ID Token in your client app, there is no need to verify it, since the verification process is already built-in in login process. So it should be just safe to use it in place. However, again, if you have to send it to your server, it is not safe for your server to trust it, and you need have your server to call the verify ID Token API before using the token actually.

[ryanomor]

Hi @onevcat thanks for the explanation. Since the verification process is already built-in to the login process, then it shouldn't be a problem. I was planning on decoding the payload to get the user's info, but wanted to make sure the ID Token was verified before doing so.