Skip to content

Fixed ID token nonce claim validation #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 24, 2024
Merged

Fixed ID token nonce claim validation #104

merged 7 commits into from
Oct 24, 2024

Conversation

@jo-carter
Copy link
Contributor

@jo-carter jo-carter commented Oct 19, 2024
edited
Loading

Previously, ID token nonce claim validation was skipped in all cases due to lack of detection of if the session was a new session.

@jo-carter jo-carter force-pushed the nonce-validation-fix branch from 5698083 to 9b844ad Compare October 21, 2024 04:54
@lcrilly
Copy link
Contributor

lcrilly commented Oct 21, 2024

Presumably the global variable is not persisting across internal redirects (as was the intention)?
Perhaps js_var is worth considering to avoid performing the newSession check twice?

@jo-carter jo-carter force-pushed the nonce-validation-fix branch from 9b844ad to 823bb0a Compare October 21, 2024 19:54
@jo-carter
Copy link
Contributor Author

jo-carter commented Oct 21, 2024
edited
Loading

Presumably the global variable is not persisting across internal redirects (as was the intention)?

@lcrilly That's right.

Perhaps js_var is worth considering to avoid performing the newSession check twice?

Yep, makes sense. Please see the changes in the latest push.

@jo-carter
Fixed ID token nonce claim validation
561ba74 
Previously, ID token nonce claim validation was skipped in all cases due to lack of detection of if the session was a new session.
@jo-carter jo-carter force-pushed the nonce-validation-fix branch from 823bb0a to 561ba74 Compare October 23, 2024 13:52
@jo-carter
Copy link
Contributor Author

jo-carter commented Oct 23, 2024

@lcrilly Actually, as was pointed out by interested parties out of band - that would not work, as the js_var will not persist beyond the 302 redirect to the IDP that occurs later in the auth function.

Reverting the commit back the original, and also converting newSession to a local variable in id_token_validation function, as it no longer needs to be global.

@ag-TJNII
Copy link
Contributor

ag-TJNII commented Oct 23, 2024

https://openid.net/specs/openid-connect-core-1_0.html#IDToken says

If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request.

Should the nonce check even be wrapped in the newSession if()? Skimming the docs I can't seem to find a definitive answer whether the renewal response contains the original nonce. I'm assuming there's cases where it doesn't. Looking at the spec I'm wondering if this should:

  • Always validate nonce if it's present
  • Ensure it is present on new sessions
  • Tolerate missing on renewals

https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens says Nonce: the nonce claim in the payload must match the nonce parameter passed into the /authorize endpoint during the initial request. implying that it will be returned on renewal, but I haven't confirmed that.

@ag-TJNII ag-TJNII mentioned this pull request Oct 24, 2024
Merged
@jo-carter
Merge pull request #1 from ag-TJNII/nonce-validation-fix
f0cdaf0 
Improve token nonce claim validation to better comply with OIDC spec.
@jo-carter
Adjusted Style & Log Messages.
917bbfd
lcrilly
lcrilly reviewed Oct 24, 2024
View reviewed changes
@jo-carter
Copy link
Contributor Author

jo-carter commented Oct 24, 2024
edited
Loading

@ag-TJNII

Should the nonce check even be wrapped in the newSession if()? Skimming the docs I can't seem to find a definitive answer whether the renewal response contains the original nonce. I'm assuming there's cases where it doesn't.

It is ambiguous in the spec, but I believe you are correct that it is intended. I see from issues on other projects that some do include nonce, and some do not include nonce claim in this case, so keeping it as a warning makes sense. (see resolved conversation above)

route443
route443 reviewed Oct 24, 2024
View reviewed changes
route443
route443 reviewed Oct 24, 2024
View reviewed changes
@route443 route443 merged commit 133504f into nginxinc:main Oct 24, 2024
@jo-carter jo-carter deleted the nonce-validation-fix branch October 25, 2024 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcrilly lcrilly lcrilly left review comments

@route443 route443 route443 left review comments

+1 more reviewer

@ag-TJNII ag-TJNII ag-TJNII left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jo-carter @lcrilly @ag-TJNII @route443