I recently created a new Entreprise OIDC connection that is working fine. But how could I be sure that id_token returned by IdP is checked by Auth0? (check of nonce, iss, aud, azp, amr, etc…)
Thanks for your help
Or other question: how is it possible to access id_token returned by IdP (in case of Enterprise connection), for example in a “Rule”?
Auth0 doesn’t validate tokens for you. It is up to the app (for an ID token) or the API (for an access token) to validate the token.
Yes but it seems like in case of OIDC Enterprise connection there are 2 access and 2 id tokens:
- the ones provided by the IdP to Auth0, to validate the delegated authentication.
- the ones provided by Auth0 to the end user, then used to request my API.
I want to have access to the ones provided by the IdP, but it doesn’t seem to be available in rules
Ok, that makes sense … now I understand what you mean. I am not aware of any method for manually validating the tokens from the 3rd party IdP, but I am fairly certain Auth0 will reject invalid tokens for you.
I have not tried this with OIDC enterprise connections but Auth0 does reject an invalid security token from a SAML enterprise connection, e.g., a token signed with the wrong signing cert. I would assume it would do the same for an invalid ID / access token.