Verification of incoming token #49
Comments
|
Verification is great - and in fact recommended. I feel this should be part of the repo itself where it does that step just to ensure its not a replay attack or the token hasn't been tampered with. |
|
@ananay thanks for the response! I've actually implemented getting the public keys from the api endpoint, caching them etc. - would you like me to share a gist so you might be able to copy & paste it? I'd suggest to say so in the docs instead of suggesting |
|
@marcesengel Thanks! Please feel free to share a gist or make a pull request with the code added! :D |
|
@ananay sorry for the delay, I've prepared a gist: https://gist.github.com/marcesengel/f14ea18b850d87e89b2a51e6d74b29b6 Feel free to reach out if you'd like to discuss anything, maybe in the comments of the gist? |
Hi,
first of all thanks a lot for the work on this package! Looking through the README, I was wondering if
jwt.decode(idToken)is actually the right thing to do, or if it'd make sense to also verify the incoming token?For now I'm verifying them, is this redundant? I'm not aware of the exact auth flow. Thanks in advance!
Best regards
The text was updated successfully, but these errors were encountered: