How do I verify that an access token and a id-token is actually related?
I see that google has a hash of the access token related to the id token as a claim to be able to check that they are related to each other. Has Auth0 something similar?
I’m creating a auth proxy server for a load balancer, which re-directs and authorize with auth0 if the user tries to request a protected site through the load balancer.
It sets the current user Acess token and Id token as a cookie on the request to store the current user session. But without any way of verifying that the two are related to each other, the logged in user could impersonate as another user if they replace the id-token with another users valid id-token. Some claims of the id-token is then set on the http headers for the protected site to retrieve for HTTP header based authentication.
A way of stop using a id-token in the cookie headers could be retrieving the id-token from the /userinfo endpoint of each request but that wouldn’t scale because of an extra http request for each check if a site is protected. This could be solved by adding caching on the server side to avoid to many requests, or store the id-token on the server side to avoid exposing the possibility to manipulate the token but that would break the auth-proxy backend statelessness and thus would not scale as easily and complicate the solution to have a distributed backend cache.