Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Nonce validation after refresh token use is incorrect #1642

Open
crubach opened this issue Dec 21, 2022 · 3 comments
Open

[Bug]: Nonce validation after refresh token use is incorrect #1642

crubach opened this issue Dec 21, 2022 · 3 comments
Labels
investigate

Comments

@crubach
Copy link

crubach commented Dec 21, 2022

Version

15.0.2

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

An OIDC-certified provider such as node-oidc-provider can opt to include the nonce value in Id tokens returned when a /token request is made with a previously obtained refresh token.

The library will throw an error similar to "Validate_id_token_nonce failed, dataIdToken.nonce: 11f86d9059c1100ef98180db0f3d17fbe3Ft1o9Wq local_nonce:--RefreshToken--" by default when the provider returns an id token with the nonce matching the *original* request (here: 11f86d9059c1100ef98180db0f3d17fbe3Ft1o9Wq).

The most recent errata for the OpenID connect ( https://bitbucket.org/openid/connect/pull-requests/341/errata-clarified-nonce-during-id-token ) clarify that this behavior is correct/allowed:

... if it is present,
    its value MUST be the same as in the ID Token issued
    at the time of the original authentication

even though the library attempts to check for the presence of the nonce value it uses during the refresh attempt.

Steps to reproduce the behavior

Use node-oidc-provider and configure a sample client configuration allowing 
"grantTypes": ["refresh_token"] and request scopes offline_access and requesting consent prompt, setting the access token expiration to be short-lived

A clear and concise description of what you expected to happen.

ValidateIdTokenNonce in the provider should check for a match with the nonce value from the original authentication attempt, not the renewal attempt if it is present (to match the OIDC standard addendum).

Additional context

No response
@damienbod
Copy link
Owner

I think the nonce validation is correct. I don't think this is part of the refresh. I will read up on this and validate.

Thanks for reporting

Greetings Damien

@fabbio204
Copy link

I had the same problem.

I have a server with OpenIdDIct, and a created a configuration for sample-code-flow-auto-login

image

image

For fix this error, I made some changes in the core project:

image

File state-validations.service.ts
image

FIle refresh-session-callback-handler.service.ts
image

But, I have a question: This changes makes sense for this problem?

@damienbod

@nkelemen18
Copy link

nkelemen18 commented May 18, 2023
edited
Loading

I have the same issue. Why not validating nonce by default if this line handles when nonce is missing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@damienbod @fabbio204 @crubach @nkelemen18