Skip to content

Remove SDK-side ID token validation#912

Draft
Copilot wants to merge 8 commits into
devfrom
copilot/remove-id-token-validation
Draft

Remove SDK-side ID token validation#912
Copilot wants to merge 8 commits into
devfrom
copilot/remove-id-token-validation

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 11, 2026
edited
Loading

The SDK was validating ID token claims during decode and auth code flows. This change makes ID token handling decode-only so the library no longer enforces issuer, audience, nonce, time, or auth_time checks.

  • Decode-only ID token handling

    • msal.oauth2cli.oidc.decode_id_token() now only parses and returns claims
    • legacy validation-related parameters are retained for compatibility but ignored

  • Removed OIDC claim validation paths

    • removed issuer/audience/nonce/expiry/not-before checks from OIDC decoding
    • removed auth code flow nonce and max_age/auth_time validation tied to ID tokens
    • OIDC helpers continue returning id_token_claims without rejecting tokens based on claim contents

  • Token cache alignment

    • token cache fallback decoding now uses raw claim decoding only
    • avoids reintroducing validation when extracting account metadata from id_token

  • API/docs clarification

    • updated docstrings to reflect that nonce/claim validation is no longer performed by the SDK
    • clarified that callers who require validation must do it themselves

Example:

claims = oauth2cli.oidc.decode_id_token(
    id_token,
    client_id="expected-client",
    issuer="https://issuer.example",
    nonce="expected-nonce",
)

# Before: could raise on audience / issuer / nonce / time checks
# Now: returns decoded claims without SDK-side validation
print(claims["sub"])

Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:10
Copilot AI linked an issue May 11, 2026 that may be closed by this pull request
[Bug] The SDK should not perform any ID Token validation #911
Open
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:14
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:15
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:16
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:17
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:21
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:24
Copilot AI requested review from Copilot and removed request for Copilot May 11, 2026 12:24
Copilot AI changed the title [WIP] Remove ID token validation logic from SDK Remove SDK-side ID token validation May 11, 2026
Copilot AI requested a review from bgavrilMS May 11, 2026 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@bgavrilMS bgavrilMS

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] The SDK should not perform any ID Token validation

2 participants

@bgavrilMS