Expose the id token as part of the callback() method
Perform validation on the id token in a manner consistent across SDKs
1. Expose the ID token as part of the callback() method
Currently, we only expose the sub and access token after performing all the requisite checks on the ID token. But the id token is useful because it acts as proof that the user has been authenticated by sgID. Some relying parties want to store
the ID token as part of their audit trail. This is why we're exposing the ID token here.
2. Perform validation on the id token in a manner consistent across SDKs
Overview
This PR does 2 things:
1. Expose the ID token as part of the
callback()methodCurrently, we only expose the
suband access token after performing all the requisite checks on the ID token. But the id token is useful because it acts as proof that the user has been authenticated by sgID. Some relying parties want to store the ID token as part of their audit trail. This is why we're exposing the ID token here.2. Perform validation on the id token in a manner consistent across SDKs
Validation is done according to the SDK implementation strategy here: https://www.notion.so/opengov/SDK-implementation-requirements-1f9b7cbd2bd4406b85d6645fe3e365dd
Note that in this case, the
openid-clientlibrary does validation on the ID token for us, so behavior deviates from the Python SDK.Tests
idTokenis received with sgid-demo-frontend-spa and the Express example in this repo.