Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
This change adds back the verification of the JWT's signature, which was removed in version 2.3.0.
This PR adds back signature verification for both HS256 and RS256 signed JWTs. Tests have been added to ensure that we are indeed verifying signatures, and doing so in a way that does not introduce breaking changes.
Note:
As this library only supports the Authorization Code flow, per the [OIDC Specification section 3.1.3.7] (https://openid.net/specs/openid-connect-core-1_0-final.html#IDTokenValidation), verifying the ID Token's signature is not strictly required:
However, when we can verify the signature, we should; also removing the signature verification was a regression that this change addresses.
Testing
In addition to adding unit tests to verify the signature verification and claims validation, I also tested with a Quickstart sample, using both RS256 and HS256 signing algorithms, using a local version of this SDK with this fix included:
Valid JWTs were verified successfully
JWTs with invalid signatures are rejected
This change adds unit test coverage
This change has been tested on the latest version of the platform/language or why not
Checklist