I traced the source code for OidcClient2.The Auth0SDK is simply a wrapper for this library.
I found that validation of the Identity Token does occur within the IdentityTokenValidator class. ONLY the Identity token is processed by this method. The Access token is not validated here.
Search for the following method:
private ClaimsPrincipal ValidateSignature(string identityToken, JwtSecurityTokenHandler handler, TokenValidationParameters parameters)
The only validation I can find of the Access token is below. I cannot determine what the purpose of this is code is within the ResponseProcessor class in the OidcClient2 library. I think to understand this better I would need access to the source code for JwtSecurityTokenHandler. The JwtSecurityTokenHandler is what sets the value of atHash from what I can see.
var atHash = validationResult.User.FindFirst(JwtClaimTypes.AccessTokenHash);
if (atHash == null)
return new TokenResponseValidationResult(“at_hash is missing.”);
if (!_crypto.ValidateHash(response.AccessToken, atHash.Value, validationResult.SignatureAlgorithm))
return new TokenResponseValidationResult(“Invalid access token hash.”);
return new TokenResponseValidationResult(validationResult);
By the way, the Auth0Client instantiates the OidcClient(options) with options.Policy.RequireAccessTokenHash = ‘false’. This variable is used above.
In the Auth0Client class:
RequireAuthorizationCodeHash = false,
RequireAccessTokenHash = false
So, in conclusion from what I can see:
1.) The Identity token is always validated by the Auth0SDK.
2.) I still am not certain if the Access token is validated.
Can someone please trace my findings and let me know if my conclusions are correct.