Why processGenericAccessTokenResponse never validate the id_token signature ?

[kant-un]

Hello,
could you tell me if it's intended that the the processGenericAccessTokenResponse never validates the id_token signature ?
validateJwt is indeed always called with noSignatureCheck in this function.

I am using processAuthorizationCodeOpenIDResponse (that calls processGenericAccessTokenResponse) and i was hoping that it would also validate the signature but it seems that it's not possible.

The other way to validate the id_token would be by using validateJwtAuthResponse but it looks like it's only for JARM flow for which a 'response' parameter is needed. The problem is that i don't have a 'response' param in my flow (PKCE with only code and state in the callback) so the function throws an error.

I saw that someone mentioned another package 'jose' that have the JWKS validation. Should I use this instead or is it planned to have a way to validate an id_token in processAuthorizationCodeOpenIDResponse ?

Thanks for your time

[panva]

could you tell me if it's intended that the ... never validates the id_token signature?

It is intended. It is possible to do so because the only flows that are supported by this module are ones where an ID Token is retrieved from an https (TLS protected) endpoint and the specification does not require the client to check the signature of the ID Token in such cases.

This behaviour is also certified by the OpenID Connect Certification Program.

If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature.

source

For all intents and purposes, when you retrieve the ID Token from this module you don't need to validate it futher, you can immediately use getValidatedIdTokenClaims on the response and get the claims that were already in it.

If you want to be checking the ID Token on any subsequent use, for instance followup requests after it has maybe been exposed to users, by all means, use a library meant for validating JWTs to ensure it was not tampered with.

[kant-un]

Thanks a lot for your response.
You are correct, I don't have to validate the token in this flow according to the source you provided.
I am receiving the id_token in a Single Page Application. I though I'd have to validate it but it is indeed protected by the TLS connection to the server.
I only need to validate the id_token in my backend/apis server as it might be tempered with as you said.
Thanks again !