Use /.well-known/openid-configuration issuer attribute for id_token validation #555
Conversation
…l-known response instead of the user specified issuer
…l-known response instead of the user specified issuer
-- Other Okta SDK's use the issuer URL found in the /.well-known/openid-configuration when validating the id_token. This SDK currently uses the
URL specified in the config opbject passed to the constructor at the time the OAuth client object is instantiated. This is not desirable as
it makes it impossible to use OIDC with a proxy.
The change made uses the issuer attribute found in the /.well-known/openid-configuration response body and compares it to the issuer claim in
the id_token to validate the token.
|
@scottirvinsonos - Thanks for the PR, we'll take a look (because token validation is such a key issue, we will rope in a few people on this) Meanwhile, have you signed a CLA? You can find a description, the CLA itself, and the email address to send it after signing here: https://developer.okta.com/cla/ I'll get the review started on this, thanks again. |
Signed the CLA and sent to CLA@okta.com |
|
Internal ref: OKTA-362486 |
|
@scottirvinsonos Thank you again for this feature request and PR submission. I'm happy to report that this feature was released, in version 4.8.0. Please let us know if you have any problems with using |
Other Okta SDK's use the issuer URL found in the /.well-known/openid-configuration response body when validating the id_token. This SDK currently uses the URL specified in the config object passed to the constructor at the time the OAuth client object is instantiated. This is not desirable as it makes it impossible to use a proxy with Okta.
The change made uses the issuer attribute found in the /.well-known/openid-configuration response body and compares it to the issuer claim in the id_token to validate the token.