Comments (10)
Yes, I wrote I agree ;)
from oidc.
Thank you for sharing your idea.
If there is a significant demand from customers/community, we will carefully consider implementing the feature.
Currently, the issue will be added to our product backlog.
Meanwhile, if you're interested in implementing it yourself, we also welcome pull requests.
from oidc.
The standard is a bit fishy on this.
it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication
Disable is indeed the easy solution, but not necessary the correct one. If we want to be 100% correct we should verify the nonce against the original ID Token, if it was returned with the new ID token. So in case of Entra ID you could work-around the issue by constructing the RP with the WithNonce
verrifier option, passed to WithVerifierOpts
. Then, when calling RefreshTokens
use context Values to set and obtain the Nonce from the original token.
from oidc.
The standard also says (Section 12.2)
12.2. Successful Refresh Response
Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.
...
it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication
My problem is according the standard, its compliant to omit the nonce claim, too. In this case, I need a verifier which accepts both: an empty string and the nonce claim from the original ID Token.
In my case, I support any OIDC provider and I have different results from Entra ID. While on my test, the nonce is empty, other users experience that error that nonce is non-empty.
Would it be an option to check the nonce only, if its non-empty? That would be 100% correct, because it says check nonce only, if present.
from oidc.
I also tried something like this:
ctx = context.WithValue(ctx, types.CtxNonce{}, "value")
newTokens, err := rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
if errors.Is(err, oidc.ErrNonceInvalid) {
ctx = context.WithValue(ctx, types.CtxNonce{}, "")
newTokens, err = rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
}
but it fails, if the Provider has a one time usage policy for refresh tokens.
from oidc.
@muhlemmer what did you think about empty nonce value is fine on refresh?
from oidc.
Sorry lost track of this issue. With the above arguments you gave I agree that we can allow an empty nonce. Do you want to send a PR for that?
from oidc.
With the above arguments you gave I agree that we can allow an empty nonce
Its spec compliant. If you read (Section 12.2):
Token from Refresh Response SHOULD NOT have a nonce Claim, however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication
which I interpret: claims from refresh response should be empty/non present. If not empty, the values should be equal to the initial value.
If you would agree here, I would open a PR
from oidc.
I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature
from oidc.
I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature
You can open a breaking change PR against the next
branch. And I can have a look if there is a solution to port it to main
.
from oidc.
Related Issues (20)
- PKCE support is not enough HOT 1
- use trace id of external service HOT 2
- Allow custom forwarded header HOT 2
- [Bug]: client invalid signature when OIDC server is restarted HOT 2
- The automated release is failing 🚨
- [Bug]: nil pointer dereference in `crypto.BytesToPrivateKey` HOT 3
- Access to auto discovery configuration HOT 3
- Support form_post OIDC response mode HOT 4
- Do not ignore all JWKS parsing errors HOT 3
- [Bug]: nil pointer dereference when not setting unauthorized handler HOT 2
- Switch to `log/slog` HOT 2
- [Bug]: The behavior of response_mode does not adhere to the guidelines HOT 2
- Support ``verification_url`` mispelling in the device auth response HOT 6
- Set IDTokenSigningAlgValuesSupported of DiscoveryConfiguration obtained by Discover when initializing RelyingParty. HOT 3
- Update to go-jose/v4 HOT 4
- add prometheus metrics for apis HOT 2
- JWT Profile Grant: return id_token if openid scope is set HOT 11
- I want to increase the defaults for signature algorithm. HOT 2
- Question about licensing HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc.