I am calling /authorize which redirects to may /callback?code=xxx&state=yyy. I read this page Get ID Tokens
- Is the code an id token I can validate without going remote? The libs in that url referenced can’t seem to validate that token since it is not jwt.
- Can I get ‘sub’ from this code above(the xxx)? If so, I can skip the call to /userinfo which seems a bit useless as it
- The call to /userinfo does not return an identies array with google’s oauth tokens and the docs show that only the management api returns that(seems odd though). Is this true or is docs just missing that field? Currently, when I run, I do not see it returned but perhaps there is config to make it return more?
My GUESS: For highest security, validate the state passed from callback is the same random secure thing AND call /oauth/token and decode the JWT token. If all that is good, we are secure ‘I hope/think’.
I was able to get sub form decoding the jwt after I had the right audience and use that for fetching google’s tokens without using /userinfo now. All signups take 2 calls to auth0 for now while I was hoping just one to keep the load fast.