[Feature Request]: allow option to disable nonce parameter and check #1560
Labels
Comments
|
Why would you disable the nonce validation? This is a important security check. Get it working due to env constraints with security holes is not really a good idea. Is updating your identity provider to a modern standard not possible? Greetings Damien |
|
Hi Damien, Our application is setup to connect with multiple different OIDC servers depending on what our customers use. Most of the OIDC servers we connected to support the nonce but we currently encountered one that doesn't. We already pushed back by explaining it's mandatory for the server to support it. Still, as a client it is an optional parameter which I believe we could make it configurable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are auth servers that do not support the nonce parameter. And as a client it is not required to send one. This flexibility allows angular-auth-oidc-client to be applicable in more different situations and environments.
Describe the solution you'd like
A configurable option to disable the nonce parameter and validation
Describe alternatives you've considered
We tried convincing the other side to support nonce but this is hard to control. Also we added a workaround to disable the nonce validation by updating the sessionStorage before angular-auth-oidc-client reads it, but this seems very hacky and brittle and can easily break with each upgraade.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: