- edited description
nonce required whenever implicit or hybrid flow required
I get the following stack trace when trying to parse the following authentication request parameters:
- scope:openid
- response_type:code token
- redirect_uri:...
- state:SvHV14vfPV
- client_id:...
- response_mode:form_post
To my understanding this shouldn't require nonce, as the response_type contains code, but doesn’t return id_token from the authorize-endpoint (per OIDC 3.3.2.11)? At least OIDC certification suite test (oidcc-ensure-request-without-nonce-succeeds-for-code-flow) describes that “This test should end with the authorization server issuing an authorization code, even though a nonce was not supplied.”
The parameters are taken from that test.
stack trace:
..
Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing nonce parameter: Required in the implicit and hybrid flows
at com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1683)
I'm using oauth2-oidc-sdk-9.1.jar
Comments (6)
-
reporter -
reporter The section 3.3.2.1 of OIDC core actually states is quite clearly:
nonce - REQUIRED if the Response Type of the request is
code id_token
orcode id_token token
and OPTIONAL when the Response Type of the request iscode token
. It is a string value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in thenonce
values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2. -
- changed status to open
Thanks for the catch!
-
Context - tests have not been updated after OIDC ticket resolution:
-
Fixed in 14d894f2 , released in
version 9.2.4 (2021-03-23)
Thanks & happy coding!
-
- changed status to resolved
- Log in to comment