nonce not required for the implicit flow anymore
It looks like the fix to a bug related to nonces (see https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/351/nonce-required-whenever-implicit-or-hybrid) have caused another bug.
Now, the nonce is not anymore required for the implicit flow, for instance with the following authentication request parameters:
AuthenticationRequest ar = new AuthenticationRequest.Builder(
ResponseType.parse("id_token"),
new Scope("openid"),
new ClientID("s6BhdRkqt3"),
URI.create("https://example.com/cb")) // redirect_uri
.state(new State("af0ifjsldkj"))
.endpointURI(new URI("https://c2id.com/login"))
.build();
Before the fix to issue 351, those parameters produced an exception, but that’s not the case anymore. I’m currently using 9.5.
The spec is clear that nonce is required for implicit flows: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
Comments (5)
-
-
- changed status to resolved
Fix in bb8927e4, release in 9.5.2.
-
reporter - changed status to open
The fix covers only the implicit flow with response_type=id_token. However, as specified by the OIDC core spec section 3, response type "id_token token" also refers to implicit flow and nonce is REQUIRED (per 3.2.2.1)
-
Thank you Henri, I wonder how we got to have the buggy test in the first place.
-
- changed status to resolved
Released in 9.5.3
- Log in to comment
Ouch, thanks, let’s see this