-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SDK-974] Improved OIDC compliance #1059
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment around the validation happening here. Approving for now as it isn't a blocker.
if ( | ||
validationError.error !== 'invalid_token' || | ||
validationError.errorDescription === 'Nonce does not match.' | ||
(validationError.errorDescription && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider breaking this logic out into a variable for more clarity.
Also ... why are we checking the description as well if we hav an error code for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This just modifies existing logic rather than rewriting it. We do have an error code but it's the same error code for every error. I don't think the check here is terrible, but it could be refactored later if desired.
@@ -414,7 +437,8 @@ WebAuth.prototype.validateToken = function(token, nonce, cb) { | |||
jwksURI: this.baseOptions.jwksURI, | |||
audience: this.baseOptions.clientID, | |||
leeway: this.baseOptions.leeway || 0, | |||
__disableExpirationCheck: this.baseOptions.__disableExpirationCheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
Newly documented creation option: auth0/auth0.js#1059 https://github.com/auth0/auth0.js/#initialize Thanks!
Newly documented creation option: auth0/auth0.js#1059 https://github.com/auth0/auth0.js/#initialize Thanks!
Changes
idtoken-verifier
to2.0.0
for [SDK-974] Improved OIDC compliance idtoken-verifier#77__disableExpirationCheck
, which has now been removed fromidtoken-verifier
Testing
Unit tests were updated, tested manually in Chrome + IE11 to see that the ID token validation checks still passed at runtime.
Checklist