Validating the access token JWT

[turbo2ltr]

It does not appear that this client validates the signature on the JWT passed back from the token server. All it does is make sure the resource request response data matches the unencoded data in the JWT.

https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2

Will this feature be added?

Thanks.

[aaronpk]

The name of this issue should be "Validating the id_token JWT". The plugin doesn't actually validate the JWT, it just extracts the claims without validating, because it got the JWT from the token endpoint. JWT signature validation isn't needed in this case because it already knows where it got the id_token from.

From Google's docs on OpenID Connect:

Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid.

A comment in the code around the lines where it extracts the JWT information to this effect would be helpful though.