Comments (4)
Anyone have any comment on this?
from okta-auth-js.
@jmelberg-okta Sorry to pester you, but to me this issue seems more pressing than my other issue, since the id token signature is never validated. Do you have any thoughts on this one?
from okta-auth-js.
I'm not sure of the historical reason as to why we're ignoring signature validation when receiving the idToken
from the /token
endpoint. IMO we should be defaulting this to false
to ensure it gets validated.
Our team is auditing this library + making changes to ensure we have all the necessary ID Token Validation steps.
Secondly, calling token.verifyIdToken()
does validate the signature by retrieving the JWKS. You can see how it is implemented here. If you're using this for Implicit flows, please use that method instead of relying on the default behavior.
I'd be happy to take a look at a PR with these changes if you have time. Please make sure to review/sign our CLA beforehand.
Thanks!
from okta-auth-js.
Resolved with 2.0.0
.
from okta-auth-js.
Related Issues (20)
- Snyk High Vulnerability: SNYK-JS-INFLIGHT-6095116 through [email protected] HOT 2
- Validate claims does not follow OpenID spec for audience validation HOT 3
- Okta License appears in build 196 times HOT 3
- token.getWithRedirect not happening immediately HOT 3
- 'OktaAuthModule' does not appear to be an NgModule class. HOT 1
- TokenManager.emitAdded() called multiple times on tab duplication HOT 1
- Error when httpRequest deletes STATE_TOKEN_KEY_NAME from storage HOT 4
- Migrate type tests to TSTyche HOT 4
- Uncaught (in promise) TypeError: wellKnownResponse is undefined HOT 3
- "autoRenew" deprecation notice should link to new functionallity
- Cannot sign out when DSSO is enabled HOT 1
- field validation errors not showing up with associated fields
- getTokens() - Add check to see if tokens are expired (or will in 30s) and try to refresh if so HOT 1
- creating a new account sdk does not crete session HOT 3
- index.js:76 [okta-auth-sdk] WARN: a saved auth transaction exists in storage. This may indicate another auth flow is already in progress. HOT 1
- Package uses a deprecated feature that is being reported as an issue in my Application. HOT 1
- Separate token.getWithPopup from Enrollment when using Social HOT 1
- errorcode:login_required : The client specified not to prompt, but the user is not logged in HOT 3
- getOrRenewAccessToken method is missing in 7.7.0 release
- Okta magic link not working in different browser without OTP HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from okta-auth-js.