Closed JayNewstrom closed 2 years ago
The spec says we should validate these things. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
But there are many ways/reasons the system clock could be out of sync (users cheating in candy crush, etc). The demonstrated behavior is less secure.
I just did this as a proof of concept, I'd still need to fix/write more tests, and document the new public methods.
Fixes #256
…with server clock.
Description:
Testing details:
Other considerations:
RESOLVES:
OKTA-XXXXX
Primary Reviewer(s):
Additional Reviewers:
Security Reviewer(s) (@ okta/rex-team if necessary):
UX Reviewer(s) (if necessary):