Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID claims validation #35

Open
xavier opened this issue Jul 24, 2020 · 1 comment · Fixed by #50 · May be fixed by #36
Open

OpenID claims validation #35

xavier opened this issue Jul 24, 2020 · 1 comment · Fixed by #50 · May be fixed by #36

Comments

@xavier
Copy link

xavier commented Jul 24, 2020

Thanks for creating this library, the integration into my project was a breeze but I was surprised that OpenIDConnect.verify/3 is successful when given an expired token.

Shouldn't the documentation explicitly state that verify/3 only checks the token signature and that it's up to the application to validate the token claims?

I understand that, to some degree, claim validation is an application concern but the OpenID spec lists a handful of required ID Token claims, among which are exp and aud. Wouldn't it make sense for an OpenID Connect implementation to validate those standard claims?

@bcardarella
Copy link
Member

We're open to PRs to address this issue. At the moment I am not actively working on the library but am happy to review and merge if you have a fix.

@xavier xavier linked a pull request Jul 27, 2020 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants