As a route developer, I want to validate an incoming id_token in order to ensure authenticity, integrity, audience and expiration (not exhaustive).
Sometimes, an access_token only is not sufficient to provide all the information we may want about the subject, so we may have an OpenId Connect id_token at hand. And we need to ensure that it is still valid (expiration date - exp), is for us (aud) and has been issued by the expected issuer (signature and iss).
- Filtered request pass through the filter if id_token is valid
- Returns a 403 Forbidden if not the case
- Or we may want to have a configurable failure Handler (TBD)
- id_token location can be configured (expression)
- Expiration is checked
- Audience is checked against a value provided in the configuration
- Issuer can be validated against a value provided in the configuration
- If signed (as it should be) the filter verifies the signature using a secret provided in the configuration
- Also check the identity microservices and how this work could benefit that project and vice-versa (https://stash.forgerock.org/projects/MICRO/repos/microservice-token-validation/browse)