According to my understanding of ID tokens, ID tokens are typically used to display user information. However, the documentation also says that ID tokens should be validated before they are used. To quote the documentation:
These claims are statements about the user, which can be trusted if the consumer of the token can verify its signature.
I am doubtful why validation is necessary here:
- In the Auth0 context, we get ID tokens from Auth0, which is a trusted party. In other words, I can trust whatever Auth0 tells me, including ID tokens.
- Now suppose for some reason my assumption in (1) is not valid (e.g.,MITM, etc). Validating the tokens still will not help. For e.g., if I am using RS256, I will fetch the keys from
/.well-known/jwks.json, which are still coming from Auth0 (i.e., at most as trustworthy as the ID tokens).
I’d really appreciate if anyone can clarify the importance of validating ID tokens.
I would say it’s possible to find a specific scenario where the actual validation procedure won’t add much to the process; a good example would be the one you mention. If you get the ID token from a server-side component by directly calling the token endpoint and you also dynamically obtain the key used to validate the token through a call to the /jwks.json endpoint then you’re putting all your trust in the TLS communication channel. In this situation, a MITM capable of intercepting TLS traffic would completely own you so the validation would not add much. As an additional note, to be honest if you’re doing OAuth2 and you can’t trust TLS then you’re pretty much screwed from the start no matter the scenario.
Having said that, this is a very specific situation where just a small change could mean that doing the validation procedure would be worthwhile. For example, if you obtained the public key through a side-channel and always used that specific key then the MITM could still be able to intercept TLS, but they would still have to have access to the private key for token signing in order to forge actual tokens.
In conclusion, I personally prefer that general documentation suggest that token validation is always to be done. Even if you’re in a situation where the validation process would not add anything to the process, the overhead of doing it is unlikely to cause issues and it’s better than leading someone to incorrectly think that they are okay with bypassing that validation.
Thanks for the clarification!