OpenIdConnect needs additional validation of the response. #278
Description
Currently OIDC handler needs to consider the entire message when validating if a message is protocol compliant. Several areas need addressing.
Some are easy: id_token + access_token arrives, the at_hash needs to be evaluated, similar to c_hash. The nonce claim is required in the 'code' and 'token' hybrid flows.
Some are more subtle (from spec):
If the auth_time Claim was requested, either through a specific request for this Claim or by using the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication.
If the JWT alg Header Parameter uses a MAC based algorithm such as HS256, HS384, or HS512, the octets of the UTF-8 representation of the client_secret corresponding to the client_id contained in the aud (audience) Claim are used as the key to validate the signature. For MAC based algorithms, the behavior is unspecified if the aud is multi-valued or if an azp value is present that is different than the aud value.
etc. some we should support, others we may want to leave the validation to the Client since the spec calls out that many times the behavior is Client specific.
At a minimum I suggest:
- change the API to OpenIdConnectProtocolValidator to take the OpenIdConnectMessage and TBD info.
- we introduce a delegate, possibly on OIDCPValidator, that can be called for additional validation so that users don't have to derive for custom processing.