Add JWT verification to the Apple and Azure AD strategies

pow-auth / assent

Multi-provider framework in Elixir

https://powauth.com

MIT License

391 stars 45 forks source link

Add JWT verification to the Apple and Azure AD strategies #21

Closed danschultzer closed 4 years ago

danschultzer commented 4 years ago

Based on https://github.com/pow-auth/assent/issues/18#issuecomment-551970381

These strategies pulls claims from the id_token JWT, but doesn't verify them. It would be safer to always verify the tokens even if the full OAuth 2 code flow is used.

danschultzer commented 4 years ago

Realized that AzureAD already gets the JWT verified with the OIDC base strategy, so I've updated the Apple strategy to use OIDC. It may need to be made more obvious, e.g. by returning the parsed JWT to the get_user/2 method.

danschultzer commented 4 years ago

Reopening this to see if I can make the JWT verification process clearer.