Maybe I have an understanding problem, or there is a bug in the sdk.
I developing an angular webapp and currently I have the case, where the access token lives longer than the id token (I can’t seem to extend the life span of the id token).
In the angular-okta sdk is a function in the OktaAuthService called getUser().
The documentation says: “Returns user claims from the /userinfo endpoint if an accessToken is provided or parses the available idToken.”
I had a look at the code, but as soon there is no idToken(because it expired) available the /userinfo endpoint is not requested anymore.
Also when I check the okta documentation:
the only requirement is the access token, which is still valid.
I mean this is clearly a bug, which I should open an issue for, but I also would like to know, whether my understanding is wrong. Is there I way to get the user info, without an idToken.
Also when I look at the okta-auth-js sdk I’m wondering why the function
needs an idToken?
The comment in the function states: “// Only return the userinfo response if subjects match to mitigate token substitution attack”, but why? When I have a valid access token and the api endpoint just needs an access token to work, why das the sdk prevents the usage? Sounds like obscuring thinks, than real security.
Any help in understanding the issue is greatly appreciated.