Entreprise OIDC connection: validation of ID Token?

Hi,
I recently created a new Entreprise OIDC connection that is working fine. But how could I be sure that id_token returned by IdP is checked by Auth0? (check of nonce, iss, aud, azp, amr, etc…)
Thanks for your help
Etienne

Or other question: how is it possible to access id_token returned by IdP (in case of Enterprise connection), for example in a “Rule”?

Hi @etienne.caldichoury,

Auth0 doesn’t validate tokens for you. It is up to the app (for an ID token) or the API (for an access token) to validate the token.

1 Like

Hi @markd

Yes but it seems like in case of OIDC Enterprise connection there are 2 access and 2 id tokens:

  • the ones provided by the IdP to Auth0, to validate the delegated authentication.
  • the ones provided by Auth0 to the end user, then used to request my API.

I want to have access to the ones provided by the IdP, but it doesn’t seem to be available in rules

Ok, that makes sense … now I understand what you mean. I am not aware of any method for manually validating the tokens from the 3rd party IdP, but I am fairly certain Auth0 will reject invalid tokens for you.

I have not tried this with OIDC enterprise connections but Auth0 does reject an invalid security token from a SAML enterprise connection, e.g., a token signed with the wrong signing cert. I would assume it would do the same for an invalid ID / access token.

1 Like

You may access the id_token in the fetch user profile script of custom social connections.

See this post: How can I get values in id_token in Fetch User Profile Script

Hi,

Thank you that’s indeed a very good idea. I tried it and it works.
The main issue is that my login page is shared across multiple clients so I can’t really create one custom social connections per client :frowning:

Etienne