Nonce validation fails in parse method for hybrid flow auth requests
Issue #225
resolved
In the parse method of AuthenticationRequest the 'nonce' parameter is validated like this
// Nonce required in implicit flow
if (rt.impliesImplicitFlow() && nonce == null) {
String msg = "Missing \"nonce\" parameter: Required in implicit flow";
throw new ParseException(msg, OAuth2Error.INVALID_REQUEST.appendDescription(": " + msg),
clientID, redirectURI, ar.impliedResponseMode(), state);
}
However in the constructor the nonce param is validate with the following bit of code
// Nonce required for implicit protocol flow
if (nonce == null && (rt.impliesImplicitFlow() || rt.impliesHybridFlow()))
throw new IllegalArgumentException("Nonce is required in implicit / hybrid protocol flow");
So if I parse the following request (A hybrid flow request, missing the nonce param) I end up getting an IllegalArgumentException instead of a ParseException.
GET /authorize?
response_type=code%20id_token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj HTTP/1.1
Host: server.example.com
Comments (8)
-
-
reporter
Hi, Yes, I'm on 5.38
-
- changed status to open
-
To clarify that nonce is required in the hybrid flow: https://bitbucket.org/openid/connect/issues/972/nonce-requirement-in-hybrid-auth-request
(will be fixed in errata)
-
Fixed in commit 9a8abe0
-
- changed status to resolved
-
The fix is now on Maven Central as part of v5.39: https://search.maven.org/#artifactdetails%7Ccom.nimbusds%7Coauth2-oidc-sdk%7C5.39%7Cjar
-
reporter
Tests are green in our environment using the fixed version. Thank you! I appreciate your time and effort.
- Log in to comment
Cheers! Is that from the latest version - 5.38?