Closed danschultzer closed 4 years ago
Realized that AzureAD already gets the JWT verified with the OIDC base strategy, so I've updated the Apple strategy to use OIDC. It may need to be made more obvious, e.g. by returning the parsed JWT to the get_user/2
method.
Reopening this to see if I can make the JWT verification process clearer.
Based on https://github.com/pow-auth/assent/issues/18#issuecomment-551970381
These strategies pulls claims from the
id_token
JWT, but doesn't verify them. It would be safer to always verify the tokens even if the full OAuth 2 code flow is used.