According to my understanding of ID tokens, ID tokens are typically used to display user information. However, the documentation also says that ID tokens should be validated before they are used. To quote the documentation:
These claims are statements about the user, which can be trusted if the consumer of the token can verify its signature.
I am doubtful why validation is necessary here:
- In the Auth0 context, we get ID tokens from Auth0, which is a trusted party. In other words, I can trust whatever Auth0 tells me, including ID tokens.
- Now suppose for some reason my assumption in (1) is not valid (e.g.,MITM, etc). Validating the tokens still will not help. For e.g., if I am using RS256, I will fetch the keys from
/.well-known/jwks.json, which are still coming from Auth0 (i.e., at most as trustworthy as the ID tokens).
I’d really appreciate if anyone can clarify the importance of validating ID tokens.