[ENHANCEMENT] Validation without introspect

[chibenwa]

No description provided.

[felixauringer]

I have not built it myself but the code looks good. I like that aud validation is now part of the usual verification flow.

There is still an additional check in the introspection case here. Do you think that one is still necessary? I think the new check from this PR is also used in the introspection case as part of the local validation anyway.

[chibenwa]

Thanks @felixauringer for the review I pushed a little commit to polish the doc

[felixauringer]

Thanks @felixauringer for the review I pushed a little commit to polish the doc

Thanks, the docs look good to me now 🙂

I am still unsure about the double aud validation mentioned above.

[chibenwa]

I am still unsure about the double aud validation mentioned above.

I fear I do not get you. What do you mean?

[felixauringer]

When using introspection, there are currently two places with aud checks:

• verifySignatureAndExtractClaim
• verifyWithIntrospection which also calls verifySignatureAndExtractClaim

I am not sure whether the second is still needed. As far as I see it, the signature verification - which now also includes the aud check - is done in every code path anyway.

[chibenwa]

I am not sure whether the second is still needed. As far as I see it, the signature verification - which now also includes the aud check - is done in every code path anyway.

Fair

[chibenwa]

While I'm at it it seems less relevant to mandate introspect.

Would you agree relaxing it @felixauringer ?

[Arsnael]

LGTM

[felixauringer]

While I'm at it it seems less relevant to mandate introspect.

Would you agree relaxing it @felixauringer ?

Although I'm very late to the party, I just wanted to let you know that relaxing it seems fine to me. Proper local validation and introspection are both fine and after the changes to the local validation, I would say that it suffices on its own. Thank you 🙂