Allow empty nonce from ID Tokens issued from Refresh Tokens about oidc HOT 10 OPEN

Yes, I wrote I agree ;)

from oidc.

Thank you for sharing your idea.
If there is a significant demand from customers/community, we will carefully consider implementing the feature.
Currently, the issue will be added to our product backlog.

Meanwhile, if you're interested in implementing it yourself, we also welcome pull requests.

from oidc.

The standard is a bit fishy on this.

it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication

Disable is indeed the easy solution, but not necessary the correct one. If we want to be 100% correct we should verify the nonce against the original ID Token, if it was returned with the new ID token. So in case of Entra ID you could work-around the issue by constructing the RP with the WithNonce verrifier option, passed to WithVerifierOpts. Then, when calling RefreshTokens use context Values to set and obtain the Nonce from the original token.

from oidc.

The standard also says (Section 12.2)

12.2. Successful Refresh Response
Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.
...
it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication

My problem is according the standard, its compliant to omit the nonce claim, too. In this case, I need a verifier which accepts both: an empty string and the nonce claim from the original ID Token.

In my case, I support any OIDC provider and I have different results from Entra ID. While on my test, the nonce is empty, other users experience that error that nonce is non-empty.

Would it be an option to check the nonce only, if its non-empty? That would be 100% correct, because it says check nonce only, if present.

from oidc.

I also tried something like this:

    ctx = context.WithValue(ctx, types.CtxNonce{}, "value")
	newTokens, err := rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
	if errors.Is(err, oidc.ErrNonceInvalid) {
		ctx = context.WithValue(ctx, types.CtxNonce{}, "")
		newTokens, err = rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
	}

but it fails, if the Provider has a one time usage policy for refresh tokens.

from oidc.

@muhlemmer what did you think about empty nonce value is fine on refresh?

from oidc.

Sorry lost track of this issue. With the above arguments you gave I agree that we can allow an empty nonce. Do you want to send a PR for that?

from oidc.

With the above arguments you gave I agree that we can allow an empty nonce

Its spec compliant. If you read (Section 12.2):

Token from Refresh Response SHOULD NOT have a nonce Claim, however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication

which I interpret: claims from refresh response should be empty/non present. If not empty, the values should be equal to the initial value.

If you would agree here, I would open a PR

from oidc.

I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature

from oidc.

I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature

You can open a breaking change PR against the next branch. And I can have a look if there is a solution to port it to main.

from oidc.