Question about ID Token validation and token signature

openid / AppAuth-JS

JavaScript client SDK for communicating with OAuth 2.0 and OpenID Connect providers.

Apache License 2.0

975 stars 162 forks source link

Question about ID Token validation and token signature #184

Closed Fedelists closed 3 years ago

Fedelists commented 3 years ago

Hello team, I am new to the library and I am trying to understand if the library validates the ID Token. I do not seem to find any of the validation steps described in section 3.1.3.7. - ID Token Validation - of the specs.

Can someone help to confirm whether token validation is implemented or not? My understanding is that it is mandatory.

tikurahul commented 3 years ago

Can someone help to confirm whether token validation is implemented or not? My understanding is that it is mandatory.

The library does not validate the ID token. That is something that client's typically don't need if you are using the full OAuth2 flow. However, that is something you can choose to implement on your own.