I think this article may bring some additional context.
Specifically the following statement:
This extra validation will need to be covered by application authors and frameworks making use of the max_age parameter.
Also:
Don’t rely on client-side verification (i.e. in the browser) of the ID token or auth_time to prevent sensitive operations.
(My interpretation) The middleware (on the API server side) responsible for the incoming access token validation and parsing could potentially make use of some of the relevant for the access token validation data, like:
- time when the request to gain protected data has been sent;
- “issued at” claim of the access token;
- max_age parameter value;
- “issued at” claim of the ID token;
- “auth_time” claim in the ID token;
- current time;
and perform validation by making relevant comparisons.
Does this give you some good directions for your investigation?
Want to join our next Community Interactive Q&A with our experts? This time we’re gonna talk about Auth0 Terraform Provider