The verify method in IdTokenVerifier does not validate the signature before verifying the claims (e.g., iss, aud, etc.). This is also a violation of the ID Token Validation steps mentioned in the current OpenID Connect Spec (https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).

The spec requires to validate the signature of ID token for apps that cannot guarantee TLS communication, which is the case for this library. This library initiates a local server that can run on any client machine without TLS support. So, it is critical to validate the signature, before trusting the claims of an ID token, which can be received from a malicious service provider.

Thanks.

@silvolu FYI

The issue confirmed, investigating the best way to fix it

fix in progress

fix ETA Mar 1st, dropping priority according to definitions.