Thanks to visit codestin.com
Credit goes to github.com

Skip to content

OIDC Hybrid Flow - nonce not passed to add_id_token #746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tevansuk opened this issue Feb 1, 2021 · 0 comments · Fixed by #747
Closed

OIDC Hybrid Flow - nonce not passed to add_id_token #746

tevansuk opened this issue Feb 1, 2021 · 0 comments · Fixed by #747
Labels
Bug OAuth2-Provider This impact the provider part of OAuth2
Milestone
3.1.1

Comments

@tevansuk
Copy link
Contributor

tevansuk commented Feb 1, 2021
edited
Loading

When using OIDC Hybrid Flow, the nonce not passed when calling GrantTypeBase.add_id_token, despite it being present in request.nonce.

In the OIDC implicit flow, add_id_token is overridden to pull the nonce from request.nonce. In OIDC Authorization Code flow, we pull the nonce from the grant, but in Hybrid Flow nothing is done to handle the nonce, so it is omitted from the ID token. Putting the nonce in the ID token is REQUIRED for Hybrid Flow (3.3.2.11).

When retrieving the token from both the Authorization Endpoint and the Token Endpoint, the contents of the token should be the same - with some differences (3.3.3.6). The key phrase for me is All Claims about the Authentication event present in either SHOULD be present in both.

The nonce is a claim about the authentication event and must be present in the ID token returned from the authentication endpoint, so it should also be present in the id token from the token endpoint. This means that when handling a auth code token request in the hybrid flow, we should also be calling self.request_validator.get_authorization_code_nonce to retrieve any nonce from the grant.

EDIT: of course, when handling generating the ID token from the code, it doesn't matter that the code originally came from the hybrid flow, the token endpoint is handled by AuthorizationCodeGrant, which will inject the nonce just fine as long as it was correctly saved/restored along with the code.

How to reproduce

I'll add some tests to demonstrate.

Expected behavior

A nonce passed in to the authentication endpoint in hybrid flow should be present in the ID token from the authentication endpoint and the token endpoint.

Additional context

  • Are you using OAuth1, OAuth2 or OIDC?
  • OIDC
  • Are you writing client or server side code?
  • server side
  • If client, what provider are you connecting to?
  • N/A
  • Are you using a downstream library, such as requests-oauthlib, django-oauth-toolkit, ...?
  • Adding OIDC support to django-oauth-toolkit
tevansuk added a commit to tevansuk/oauthlib that referenced this issue Feb 1, 2021
@tevansuk
Use request.nonce when generating hybrid id token
f329493 
Like with the implicit grant, we need to override add_id_token to pass
the nonce from the current request to GrantBase.add_id_token in order
for the ID token to have the correct nonce.

Add test that the nonce is in ID token from hybrid OIDC flow.

Fixes: oauthlib#746
@tevansuk tevansuk mentioned this issue Feb 1, 2021
Merged
tevansuk added a commit to tevansuk/oauthlib that referenced this issue Feb 11, 2021
@tevansuk
Use request.nonce when generating hybrid id token
707df8c 
Like with the implicit grant, we need to override add_id_token to pass
the nonce from the current request to GrantBase.add_id_token in order
for the ID token to have the correct nonce.

Add test that the nonce is in ID token from hybrid OIDC flow.

Fixes: oauthlib#746
auvipy pushed a commit that referenced this issue Feb 12, 2021
@tevansuk @auvipy
Use request.nonce when generating hybrid id token
89162b8 
Like with the implicit grant, we need to override add_id_token to pass
the nonce from the current request to GrantBase.add_id_token in order
for the ID token to have the correct nonce.

Add test that the nonce is in ID token from hybrid OIDC flow.

Fixes: #746
@JonathanHuot JonathanHuot added this to the 3.1.1 milestone Feb 25, 2021
@JonathanHuot JonathanHuot added Bug OAuth2-Provider This impact the provider part of OAuth2 labels Feb 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug OAuth2-Provider This impact the provider part of OAuth2
Projects
None yet
Milestone
3.1.1
Development

Successfully merging a pull request may close this issue.

Use request.nonce when generating hybrid id token tevansuk/oauthlib
2 participants
@JonathanHuot @tevansuk