Is it necessary to verify the access token signature in the context of a TLS connection with .well-known endpoint?

Ayden

5/10/24, 11:45 AM

I'm developing a custom Authentication Socialite ADFS Provider using OpenID Connect: Authentication Flow.

Since I have a TLS connection between the client App and the Authentication server that issues the token, what is the point of verifying the access token signature? From my perspective, the connection is already authenticated with integrity.

The keys I would use to verify the signature are exposed on a .well-known endpoint. Given the context of a compromised auth server, attackers could simply replace the server keys with their own, so I'm really not sure about the benefits of the signature in this case.

0 + 0

jwt

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it necessary to verify the access token signature in the context of a TLS connection with .well-known endpoint?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.