Merge pull request #245 from govuk-one-login/update-token-validation

Repeat VOT validation guidance in token validation section
govuk-one-login · Aug 21, 2024 · 624072a · 624072a
2 parents 46f3861 + ee084fe
commit 624072a
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/source/integrate-with-integration-environment/authenticate-your-user.html.md.erb b/source/integrate-with-integration-environment/authenticate-your-user.html.md.erb
@@ -368,6 +368,8 @@ Now you’ve understood what’s in your ID token, you’ll need to validate it.
 
 #### Validate your ID token
 
+  <%= warning_text('You must perform all of the validation described below, or your integration may not be secure') %>
+
 
 1. If you’re using a library, check whether your library has support for validating ID tokens.
 1. The value of `iss` must exactly match the Issuer Identifier as specified in GOV.UK One Login’s [discovery endpoint][external.oidc-discovery].
@@ -376,6 +378,7 @@ Now you’ve understood what’s in your ID token, you’ll need to validate it.
 1. Check the current time is before the time in the `exp` claim.
 1. Check the current time is after the time in the `iat` claim.
 1. If you set a `nonce` value in the request to the `/authorize` endpoint, check this matches the `nonce` value in the ID token.
+1. The `vot` claim must contain the credential trust level you asked for in the request to the `/authorize` endpoint. The `vot` claim will only contain the credential trust level, not the level of confidence, even if you make an identity request. For example, if you set the `vtr` parameter to `Cl.Cm.P2`, you must ensure the `vot` claim is equal to `Cl.Cm`.
 
 ### Error handling for ‘Make a token request’