Open KarlBusse opened 5 years ago
~~Just stumbled across this because I tried to upgrade to 0.8.0.
For us a specific IDM provider (GCDM, the IDM from the BMW Group) does not seem to have this field filled out. This means that we can't upgrade to 0.8.0 as there is no way to disable the ID Token validation either (going to create a ticket for that).~~
Edit: Sorry, had not looked at the following code lines. If discoveryUrl
is null, it gets skipped. For us the if (!TextUtils.equals(this.nonce, expectedNonce)) {
check fails.
Currently, ID Token Issuer is only validated if Discovery was used... https://github.com/openid/AppAuth-Android/blob/f12592517140ecfe91a411090601b4264ddb641f/library/java/net/openid/appauth/IdToken.java#L119
My understanding of the spec is that Discovery is optional...
The following is what the OpenID Connect Core spec says in section 3.1.3.7 about verifying the Issuer in the ID Token...
Since Discovery is optional, I believe "typically obtained" may be just a helpful hint? It seems to me that using Discovery was not intended to be a required precondition for performing ID Token Issuer validation.