Is it required/advised to verify an ID Token in a native mobile app?

rcotter · February 1, 2022, 9:13pm

I’m not perfectly clear whether ID Token verification is needed/advised in a native mobile app. We get the ID Token back from Universal Login directly from Auth0 and are able to parse it. I would think we can trust it. We know we got it from the trusted authority - directly; it was not passed via another app or party. The docs have me confused but I’m wondering if that is because they are for multiple use cases like SPAs, etc.

We do clearly understand that when we pass the Access Token to our API server it must verify that token and does so using JWKS.

dan.woda · February 22, 2022, 9:40pm

Hi @rcotter,

Welcome to the Auth0 Community!

The spec requires ID token validation for all grant types.

Although I understand your point here, I think it is best to follow those guidelines. If you are using our SDKs you shouldn’t have to worry about setting up the validation logic, if that is your main concern.

Hope this helps,
Dan

system · March 9, 2022, 9:40pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why validate ID tokens? Help validate , id-token	3	4399	March 2, 2018
Using idToken to access internal API JWT.io	6	3624	August 5, 2022
How to decode the access/id token in a mobile app using React-native-Auth0 SDK? Help id_token , access-token , react-native-auth0	2	3539	September 9, 2020
Having trouble validating id tokens Help id-token	2	3832	March 2, 2018
Does React SDK validate ID Token automatically? Help jwt , react , id-token	3	3556	May 21, 2021

Is it required/advised to verify an ID Token in a native mobile app?

Related topics