-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow empty nonce from ID Tokens issued from Refresh Tokens #509
Comments
Thank you for sharing your idea. Meanwhile, if you're interested in implementing it yourself, we also welcome pull requests. |
The standard is a bit fishy on this.
Disable is indeed the easy solution, but not necessary the correct one. If we want to be 100% correct we should verify the nonce against the original ID Token, if it was returned with the new ID token. So in case of Entra ID you could work-around the issue by constructing the RP with the |
The standard also says (Section 12.2)
My problem is according the standard, its compliant to omit the nonce claim, too. In this case, I need a verifier which accepts both: an empty string and the nonce claim from the original ID Token. In my case, I support any OIDC provider and I have different results from Entra ID. While on my test, the nonce is empty, other users experience that error that nonce is non-empty. Would it be an option to check the nonce only, if its non-empty? That would be 100% correct, because it says check nonce only, if present. |
I also tried something like this: ctx = context.WithValue(ctx, types.CtxNonce{}, "value")
newTokens, err := rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
if errors.Is(err, oidc.ErrNonceInvalid) {
ctx = context.WithValue(ctx, types.CtxNonce{}, "")
newTokens, err = rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
} but it fails, if the Provider has a one time usage policy for refresh tokens. |
@muhlemmer what did you think about empty nonce value is fine on refresh? |
Sorry lost track of this issue. With the above arguments you gave I agree that we can allow an empty nonce. Do you want to send a PR for that? |
Its spec compliant. If you read (Section 12.2):
which I interpret: claims from refresh response should be empty/non present. If not empty, the values should be equal to the initial value. If you would agree here, I would open a PR |
Yes, I wrote I agree ;) |
I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature |
You can open a breaking change PR against the |
Preflight Checklist
Describe your problem
I have the issue that ID Token from Microsoft Entra ID issued via an Refresh Token may have a nonce claim. According to OIDC Spec, such token should not contain an nonce claim (The clarification on SPEC introduced 14 months ago; https://bitbucket.org/openid/connect/pull-requests/341)
The IDToken verifier includes an non optional claim which fails in my scenria, if I to a RefreshToken against Microsoft Entra ID I got this error:
Describe your ideal solution
Since ID Tokens request by an RefreshToken should not contains a nonce anyways (technically, it's not possible to define one from client site and its defined in SPEC), I prefer to disable the nonce validation in such cases.
Version
3.8.1
Environment
Self-hosted
Additional Context
I'm aware that Microsoft should fix the logic in Entra ID, but I feel this will not happen in next moths...
The text was updated successfully, but these errors were encountered: