Validate OpenID claims #36
Conversation
| @@ -266,6 +283,43 @@ defmodule OpenIDConnect do | |||
| end | |||
| end | |||
|
|
|||
| defp verify_claims(claims, config) do | |||
| with :ok <- verify_exp_claim(claims, exp_leeway(config)), | |||
| :ok <- verify_aud_claim(claims, client_id(config)) do | |||
There was a problem hiding this comment.
Is the client_id always going be the same as the expected aud? I was under the impression these could be different. Apologies in advance if this comment betrays my ignorance :).
There was a problem hiding this comment.
From https://openid.net/specs/openid-connect-core-1_0.html#IDToken (emphasis mine)
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
The audience_matches? private helper function handles the special case when the aud claim may contain multiple audiences.
| :ok <- verify_aud_claim(claims, client_id(config)) do | ||
| {:ok, claims} | ||
| end | ||
| end |
There was a problem hiding this comment.
Perhaps being able to opt out of these verifications would be useful to some. Certainly on board with secure by default.
This change resolves #35 by adding som basic ID token claims validation.
It should not be a breaking change unless this library is being used to validate non OIDC-compliant ID Tokens with the
verify/3function.