OpenIdConnectEventHandler - enable UserInfo JWT-validation. #60048
Comments
|
Thanks for filing this issue. I do think #4650 should prioritized ahead of this since a new event prior to parsing the UserInfo response would allow for both handling encrypted JWTs and validating signed JWTs without any breaking changes. I agree this is not a duplicate of that issue considering you would like at least the option to validate the UserInfo JWT automatically. I suspect we would make this opt-in rather than opt-out, however. We don't even validate the id token signature in the authorization code flow. See here for where it's skipped. Given that the UserInfo endpoint is protected by TLS, and you're presumably solely relying on TLS to ensure the validity of the |
|
@halter73 It was a requirement from the IDP. I don't know the reason behind it. |
|
If it's a hard requirement, I think your best bet until we address this issue would be to leave |
|
Thanks for the suggestion. |
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
Related to #4650 (Decrypt UserInfo-response).
I would like to validate the JWT retrieved from the UserInfo-endpoint. The response I'm dealing with is not encrypted so the payload could be read, but I would also like to validate the response before continuing.
My workaround is similar to #4650
Describe the solution you'd like
It would be nice to be able to implement callback events from the existing handler to be able to validate the JWT (if it shouldn't be validated at all times, with an opt-out flag in Options and validation handled in the handler itself).
Additional context
A local keykloak server could be configured to sign UserInfo-response JWT and I believe also encrypt the JWT if you also would like to fit #4650 into the solution when developing.
The text was updated successfully, but these errors were encountered: