Question: how do I validate the id_token when using grant directly

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

MIT License

1.83k stars 392 forks source link

Question: how do I validate the id_token when using grant directly #156

Closed davidballester closed 5 years ago

davidballester commented 5 years ago

Hello, and thanks for this awesome library!

We need to use Password Grant Flow and, if I understood correctly the docs, we can do so with:

client.grant({
  grant_type: 'password',
  username: 'johndoe',
  password: 'A3ddj3w',
  scope: 'profile',
}); // => Promise

However, if we do so, we won't be taking advantage of the id_token validation feature, right? I checked the code and saw that both decryptIdToken and validateIdToken are private, so how can I achieve this?

Thanks!

panva commented 5 years ago

Hi @davidballester

1) I don't believe password grant type should be returning an ID Token at all, but that's beside the point. ROPC is not an OIDC grant 2) There's no point in validating the signature since the token endpoint you're calling is an https one so you might as well just decode it.