Do you need to verify the ID token in afterCallback?

I’m using Auth0’s express-openid-connect npm package to provide authentication in my Express (Next.js) server side app, and had two security related questions.

First, in the SDK configuration option afterCallback, can one assume that the ID token (a JWT) passed in has already been trusted/verified by the SDK? Or would I need to verify it manually? I thought it might already be verified because on this docs page it reads “All of our backend API quickstarts use SDKs that perform JWT validation and parsing for you.”

The second question is: what’s the appropriate usage of req.oidc.isAuthenticated()? I assumed if the oidc object is present and has a req.oidc.user key in it then that user is the logged in user. Is that thinking correct? When should you rely on the user key vs the isAuthenticated() function?

Thanks in advance!

  1. yes you can trust the token because auth0 has an encrypted jwt token(means even if you try to decode at you won’t be able to see that payload.) express-openid-connect decrypts that token, verifies it and after that, it adds payload in req.oidc.idTokenClaims.
  2. in express-openid-connect you can check the validity of the user requreAuth middleware or req.oidc.isAuthenticated() function. don’t use req.oidc.user to check authentication use req.oidc.isAuthenticated() instead. with that error handling also will be easier