Unverified Commit affd4d4e authored 1 year ago by Sean Liao Committed by GitHub 1 year ago

verify access tokens by checking getuserinfo during a token exchange (#3031)

The provider.Verifier.Verify endpoint we were using only works with ID
tokens. This isn't an issue with systems which use ID tokens as access
tokens (e.g. dex), but for systems with opaque access tokens (e.g.
Google / GCP), those access tokens could not be verified.
Instead, check the access token against the getUserInfo endpoint.

Signed-off-by: Sean Liao <sean+git@liao.dev>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>

parent f2358ef2

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 24 additions and 8 deletions

Please register or to comment