Hi,
I recently created a new Entreprise OIDC connection that is working fine. But how could I be sure that id_token returned by IdP is checked by Auth0? (check of nonce, iss, aud, azp, amr, etc…)
Thanks for your help
Etienne
Or other question: how is it possible to access id_token returned by IdP (in case of Enterprise connection), for example in a “Rule”?
Auth0 doesn’t validate tokens for you. It is up to the app (for an ID token) or the API (for an access token) to validate the token.
Hi @markd
Yes but it seems like in case of OIDC Enterprise connection there are 2 access and 2 id tokens:
- the ones provided by the IdP to Auth0, to validate the delegated authentication.
- the ones provided by Auth0 to the end user, then used to request my API.
I want to have access to the ones provided by the IdP, but it doesn’t seem to be available in rules
Ok, that makes sense … now I understand what you mean. I am not aware of any method for manually validating the tokens from the 3rd party IdP, but I am fairly certain Auth0 will reject invalid tokens for you.
I have not tried this with OIDC enterprise connections but Auth0 does reject an invalid security token from a SAML enterprise connection, e.g., a token signed with the wrong signing cert. I would assume it would do the same for an invalid ID / access token.
You may access the id_token in the fetch user profile script of custom social connections.
See this post: How can I get values in id_token in Fetch User Profile Script
Hi,
Thank you that’s indeed a very good idea. I tried it and it works.
The main issue is that my login page is shared across multiple clients so I can’t really create one custom social connections per client
Etienne