Validating signing certificate when using OpenId Connect

Question

I'm trying to understand whether my Owin-hosted Web Api needs to validate the certificate used to sign a JWT-token.

I've set up an identity provider using IdentityServer. On the "relying party"-side, I have an ASP.NET WebApi hosted using Owin. On the RP-side, I'm using UseOpenIdConnectAuthentication to install the OpenIdConnectAuthenticationMiddleware in the Owin pipeline.

What's working so far:

1. Any unauthenticated user visiting my web app is redirected to the login page on IdentityServer
2. The user logs on
3. The user is redirected back to my web app
4. My web app receives the JWT containing the id token and access token
5. My web app calls the user info endpoint to retrieve the claims using the access token

What I'm missing is logic to validate the certificate which was used to sign the JWT containing the identity token.

Using Fiddler, I've been able to see that the OpenIdConnectAuthenticationMiddleware retrieves the keys from the identity server (by calling https://myidentityserver.example.com/core/.well-known/jwks HTTP/1.1)

Is the OpenIdConnectAuthenticationMiddleware performing some kind of validation of the certificate? Or should I be writing this code myself?

Answer 1

The flow you describe relies on the fact that the verification certificate is pulled from a TLS protected endpoint (JWKs URL) that presents a valid SSL server certificate. This SSL server certificate guarantees that you're talking to the right OpenID Connect provider.