Ensure JWT auth token response from OIDC server is validated #33
Description
Right now we do not explicitly validate the JWT tokens returned from whatever OIDC provider is in use.
We should confirm that either:
authlibhandles this for us, or- We explicitly validate the returned tokens (in particular the
id_token, as this is what is used)
I prefer the latter, as the implementation of authlib may change, even if it handles validation now.
Steps required:
- Download JWK key-set from well-known endpoint
- Load key-set in authlib as an OAuth key
- Validate the
id_tokenor the entire response from the token endpoint, as appropriate