refactor[authentication]: reworks the token verification using JWKS url #6
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This branch makes the requirement of a confidential client optional. This is to reduce attack surface by removing secrets from multiple install locations and simplify deployment to many resources by not requiring secrets to be deployed.
Note: This removes the token introspection code which makes a call to the identity provider to validated the token. Instead, this code relies on the local decoding and validation of the token. There is notably an omission of validation of
aud
(audience) on the tokens. Validating audience can be added in if desired, but it is commonly optional and would optimally leverage a configuration flag.Fixes
no issue allocated
Type of change
How Has This Been Tested?
This code was tested (prior to the latest merge from master) on live systems for login in a testing event. For more info, see this commit. I cherry picked the changes against the updated master and re-wrote the commit message to be in-line with the contributions guide.
Checklist:
master