Improved OIDC compliance #248
Conversation
Co-Authored-By: Luciano Balmaceda <balmacedaluciano@gmail.com>
luisrudge
force-pushed
the
feature/idtv
branch
from
8925c64
to
1eb123a
Compare
There was a problem hiding this comment.
I left a small comment that is irrelevant to this PR (existed before too). I'm approving the PR but I think we need to improve our docs. I didn't see anywhere mentioned what I can pass as an option (e.g. max_age) and there is no mention that the default leeway is 60 seconds.
if I'm wrong and this is documented, please point me to the doc :) I've checked the readme and this link: https://auth0.com/docs/libraries/auth0-spa-js
EDIT: I found out that we document the different options here: https://auth0.github.io/auth0-spa-js/interfaces/auth0clientoptions.html
The only thing missing is that the default leeway is 60 seconds.
| } | ||
|
|
||
| const leeway = options.leeway || 60; |
There was a problem hiding this comment.
why do we set default leeway to 60 seconds? There is no mention about it in our docs.
There was a problem hiding this comment.
We decided to set the default leeway to 60 across the board to keep the check consistent.
There was a problem hiding this comment.
Makes sense. Let's include this piece of information here: https://auth0.github.io/auth0-spa-js/interfaces/auth0clientoptions.html#leeway
Description
This update improves the SDK support for OpenID Connect. In particular, it modifies the sign in verification phase by substituting backchannel based checks with id_token validation.
Testing