Verify id token not access token

louketo · Nov 12, 2020 · fe7edee · fe7edee
1 parent b043dea
commit fe7edee
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/handlers.go b/handlers.go
@@ -139,20 +139,20 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
 		return
 	}
 
+	// step: check the id token is valid
+	if err = verifyToken(r.client, token); err != nil {
+		r.log.Error("unable to verify the id token", zap.Error(err))
+		r.accessForbidden(w, req)
+		return
+	}
+
 	access, id, err := parseToken(resp.AccessToken)
 	if err == nil {
 		token = access
 		identity = id
 	} else {
 		r.log.Warn("unable to parse the access token, using id token only", zap.Error(err))
 	}
-
-	// step: check the access token is valid
-	if err = verifyToken(r.client, token); err != nil {
-		r.log.Error("unable to verify the id token", zap.Error(err))
-		r.accessForbidden(w, req)
-		return
-	}
 	accessToken := token.Encode()
 
 	// step: are we encrypting the access token?