Add a way to verify token signature

[Daniel-Houston]

In lib/token.js on line 231 you are calling verifyToken as follows.

okta-auth-js/lib/token.js

Line 231 in c4906a2

return verifyToken(sdk, idToken, oauthParams.nonce, true)

That last value of true sets the variable 'ignoreSignature' to true, thereby skipping the validation of the jwt signature in the verifyToken function, which parseFromUrl uses indirectly (parseFromUrl -> handleOAuthResponse -> verifyToken) My first question is what is the reasoning for always ignoring the signature of the idToken? And my second question is would you be willing to make that configurable or open to a PR that would make it configurable?

Thanks!

[Daniel-Houston]

Anyone have any comment on this?

[Daniel-Houston]

@jmelberg-okta Sorry to pester you, but to me this issue seems more pressing than my other issue, since the id token signature is never validated. Do you have any thoughts on this one?

[jmelberg-okta]

I'm not sure of the historical reason as to why we're ignoring signature validation when receiving the idToken from the /token endpoint. IMO we should be defaulting this to false to ensure it gets validated.

Our team is auditing this library + making changes to ensure we have all the necessary ID Token Validation steps.

Secondly, calling token.verifyIdToken() does validate the signature by retrieving the JWKS. You can see how it is implemented here. If you're using this for Implicit flows, please use that method instead of relying on the default behavior.

I'd be happy to take a look at a PR with these changes if you have time. Please make sure to review/sign our CLA beforehand.

Thanks!

[jmelberg-okta]

Resolved with 2.0.0.