Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support nonce for Authorization Code and Implicit Grant #962

Closed
m0ark opened this issue Nov 8, 2018 · 8 comments
Closed

Support nonce for Authorization Code and Implicit Grant #962

m0ark opened this issue Nov 8, 2018 · 8 comments

Comments

@m0ark
Copy link

m0ark commented Nov 8, 2018

Currently I have to integrate full OpenId Connect Core spec, so I came across https://github.com/steverhoades/oauth2-openid-connect-server to this library.

OIDC Implicit Flow requires a nonce to be included in the id_token issued. (see 3.2.2.1.)

In OIDC Authorization Code Grant the request can contain a nonce and in this case it has to be included in the id_token aswell (see 3.1.2.1.).

For OAuth2 handling nonces is only ever mentioned in a security advisory (mentioned in #634), but for OpenId Connect handling is mandatory. Since OpenId Connect is just an extension of OAuth2 i think nonces should be handled by the latter.
@Sephster
Copy link
Member

Sephster commented Nov 8, 2018

We aren't supporting OpenId Connect at present but do plan to do so in the future. I don't believe including a nonce is required in any of the RFC's we currently support so don't think this will be added in until full support for OpenId Connect is.

@Sephster Sephster closed this as completed Nov 8, 2018
@MichaelKubovic
Copy link

Hi @m0ark, how did you deal with the missing nonce?

@lordrhodos
Copy link

@m0ark I am interested in this as well. Hit the same issue.

@lordrhodos lordrhodos mentioned this issue Apr 16, 2020
Merged
@ThaDaVos
Copy link

Any ETA when the official OpenID connect is coming? I am running into the same issue that the nonce is missing - figured out one can easily add it inside https://github.com/steverhoades/oauth2-openid-connect-server IdTokenResponse using a ->withClaim('nonce', '<VALUE>') inside the overriden getBuilder method - but struggling to get the nonce all the way through so it's accessible there

@Sephster
Copy link
Member

No plans to add into the next major so likely after that. Steve's repo is the best option for now 👍

@ThaDaVos
Copy link

Sadly it doesn't handle the nonce part (I am already using it) - but trying to make it spec compliant - any hint on how one uses the new AuthorizationRequestInterface introduced with #1110 ?

I can't find any docs of it but seems to be able to solve the issue

@ThaDaVos
Copy link

Nvm... V9 isn't even out yet....

@ThaDaVos ThaDaVos mentioned this issue Aug 26, 2022
Open
@ThaDaVos
Copy link

I added a comment in steverhoades/oauth2-openid-connect-server#47 - how I did it today succesfully

@shineability shineability mentioned this issue Jul 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lordrhodos @Sephster @MichaelKubovic @ThaDaVos @m0ark