Client side callback validations #4
Comments
|
Hi @whossname. Can you provide a link to the docs regarding this please? I built this primarily for authenticating with the MS graph API and I'm a little out of touch with the Azure AD stuff. p.s. sorry for the late response, somehow I completely missed your question. |
|
Hey @swelham So I'm mostly talking about the Azure Active Directory implementation of openid. It has been a while since I worked on this, but I am planning on doing some work for it over the weekend, so I will get back to you when I have a better understanding. I think this is a good place to start for the Microsoft side of things: Then there is the validation piece that I am talking about: Then the openid idtoken validation specification: As you can see in the last link the id_token should be validated for at least:
Additionally I think the following are a good idea:
My repo is here (still a work in progress): In this file: I verify the above, plus the c_hash. |
I have been implementing my own ueberauth strategy for Azure Active Directory and only noticed this one as it was nearing completion. I have had a quick look at your code and can't see the callback validations? I would expect there to at least be a check for the nonce. The openid specification expects validations for the following:
Are you using a protocol that doesn't need these validations? Or are the developers using this library expected to do these validations to allow for more flexibility?
The text was updated successfully, but these errors were encountered: