Right now we do not explicitly validate the JWT tokens returned from whatever OIDC provider is in use.
We should confirm that either:
authlib handles this for us, or- We explicitly validate the returned tokens (in particular the
id_token, as this is what is used)
I prefer the latter, as the implementation of authlib may change, even if it handles validation now.
Steps required:
- Download JWK key-set from well-known endpoint
- Load key-set in authlib as an OAuth key
- Validate the
id_token or the entire response from the token endpoint, as appropriate
Right now we do not explicitly validate the JWT tokens returned from whatever OIDC provider is in use.
We should confirm that either:
authlibhandles this for us, orid_token, as this is what is used)I prefer the latter, as the implementation of
authlibmay change, even if it handles validation now.Steps required:
id_tokenor the entire response from the token endpoint, as appropriate