Idea #17718
Updated by Peter Amstutz over 3 years ago
Finish OIDC support: * When we receive a JWT token, we should verify the signature and check the expiration time. This should make it possible in at least some cases to accept JWT tokens without going to the upstream provider. * When OIDC tokens are not JWT, we should support using the OIDC standard "introspection" endpoint to verify that the token is "active" * We should prefer to use the "sub" claim to identify users (this is the way OIDC is _supposed_ to work), and only identify users by "email" as an optional backup strategy