1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

nonce required whenever implicit or hybrid flow required

Issue #351 resolved
Henri Mikkonen created an issue

I get the following stack trace when trying to parse the following authentication request parameters:

  • scope:openid
  • response_type:code token
  • redirect_uri:...
  • state:SvHV14vfPV
  • client_id:...
  • response_mode:form_post

To my understanding this shouldn't require nonce, as the response_type contains code, but doesn’t return id_token from the authorize-endpoint (per OIDC 3.3.2.11)? At least OIDC certification suite test (oidcc-ensure-request-without-nonce-succeeds-for-code-flow) describes that “This test should end with the authorization server issuing an authorization code, even though a nonce was not supplied.”

The parameters are taken from that test.

stack trace:

..
Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing nonce parameter: Required in the implicit and hybrid flows

        at com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1683)

I'm using oauth2-oidc-sdk-9.1.jar

Comments (6)

  2. Henri Mikkonen reporter

    The section 3.3.2.1 of OIDC core actually states is quite clearly:

    nonce - REQUIRED if the Response Type of the request is code id_token or code id_token token and OPTIONAL when the Response Type of the request is code token. It is a string value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!