Is it required/advised to verify an ID Token in a native mobile app?

rcotter · February 1, 2022, 9:13pm

I’m not perfectly clear whether ID Token verification is needed/advised in a native mobile app. We get the ID Token back from Universal Login directly from Auth0 and are able to parse it. I would think we can trust it. We know we got it from the trusted authority - directly; it was not passed via another app or party. The docs have me confused but I’m wondering if that is because they are for multiple use cases like SPAs, etc.

We do clearly understand that when we pass the Access Token to our API server it must verify that token and does so using JWKS.

dan.woda · February 22, 2022, 9:40pm

Hi @rcotter,

Welcome to the Auth0 Community!

The spec requires ID token validation for all grant types.

Although I understand your point here, I think it is best to follow those guidelines. If you are using our SDKs you shouldn’t have to worry about setting up the validation logic, if that is your main concern.

Hope this helps,
Dan

system · March 9, 2022, 9:40pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.