How can an OpenID Connect (OIDC) ID Token be validated through a JavaScript library?

Question

When the ID Token provided by OpenID Connect — OIDC reaches a back-end through an API endpoint it needs to be validated. There are provider-specific libraries to validate tokens, such as those for Google and Apple. Is there a library that can validate any standard OIDC ID Token?

If I understand correctly the documented API of the popular openid-client library, it seems to be geared toward a web-based application workflow (hence e.g. the various endpoints that seem to be required when constructing an Issuer object) and the support of the Passport middleware (which, again, targets web applications). Can the openid-client library be used to simply validate an OpenID Connect ID Token obtained through a workflow independently of the library's web workflow? Is there another JavaScript library that can do this? This seems important, because developers should avoid rolling their own code to implement security functionality.

Answer 1

There are Node.js libraries that validate JWTs, which can also run in the browser. The openid-client library is focused on a higher level code flow. A library such as jose may be a better choice, and give you finer control, if your requirement is to instead just work with JWTs.

In the browser the web crypto APIs are used, as opposed to the Node implementations. All up to date desktop and mobile browsers support them.

The code you'd write in the browser is similar to this code of mine. The library does these things:

• Download (and cache) token signing public keys
• Verify the JWT signature
• Verify issuer, algorithm, expiry and audience

More info in my blog post. Note that an ID token is an assertion to inform the client how and when the authentication event occurred. Usually only access tokens are sent to backends, since they can also contain custom scopes and claims used for authorization.