p53
commented
3 years ago yes id-token should be validated https://issues.redhat.com/browse/KEYCLOAK-8954
Open akifkhan01 opened 4 years ago
p53
commented
3 years ago yes id-token should be validated https://issues.redhat.com/browse/KEYCLOAK-8954
p53
commented
3 years ago will make pull request for this
p53
commented
3 years ago but there will be still problem with verifying access token in middleware, because right now it uses verifytoken method for id token and thus also checks client_id=aud which may/may not be true so it shouldn't be checked by default, but it can't be turned off
In handler, why access-token is verified and used instead of id-token itself for OpenID. Shouldn't id-token be verified primarily in OpenIDC.
Comment snippet from code :
// Flow: once we exchange the authorization code we parse the ID Token; we then check for an access token, // if an access token is present and we can decode it, we use that as the session token, otherwise we default // to the ID Token.I can see in code that it falls back to id-token only if access-token is not available.I'm trying to understand the reason for the same here.