/implicit/callback not verifying tokens

I am using okta-vue and found out that the /implicit/callback does not seem to verify the tokens provided and is just simply parsing tokens and adding to local storage. Am I missing something? How does the okta-auth-js knows if these tokens are correct?

This is the method that handles the callback (Present in Auth.js)

 async handleAuthentication () {
        const {tokens} = await this.oktaAuth.token.parseFromUrl()

        if (tokens.idToken) {
          this.oktaAuth.tokenManager.add('idToken', tokens.idToken)
        }
        if (tokens.accessToken) {
          this.oktaAuth.tokenManager.add('accessToken', tokens.accessToken)
        }
      }

When you add a token to the tokenManager, AuthJS does check if the token you are attempting to add meets certain criteria, as seen in tokenManager.js.

However, the library is not designed to validate tokens beyond making sure they are well-formed. If you want to ensure a token is valid, you may want to look into complete local or remote token validation, as described in this guide.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.