Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Use request.nonce when generating hybrid id token #747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 12, 2021
Merged

Use request.nonce when generating hybrid id token #747

merged 1 commit into from
Feb 12, 2021

Conversation

tevansuk
Copy link
Contributor

@tevansuk tevansuk commented Feb 1, 2021

Like with the implicit grant, we need to override add_id_token to pass the nonce from the current request to GrantBase.add_id_token in order for the ID token to have the correct nonce.

Add test that the nonce is in ID token from hybrid OIDC flow.

Fixes: #746

@tevansuk
Copy link
Contributor Author

tevansuk commented Feb 1, 2021
edited
Loading

I see two ways of fixing this. The first is what is in the PR, which follows how this is done in OIDC auth code flow and OIDC implicit flow, to override add_id_token and inject the nonce.

The second is to do away with all these overrides (and RequestValidator.get_authorization_code_nonce), and have GrantTypeBase.add_id_token to just look at request.nonce. For auth code flow, this would involve a change in behaviour for OIDC providers to require RequestValidator.validate_code to set request.nonce when validating the code. This would be a backwards incompatible change however, and so I went with the first option.

auvipy
auvipy reviewed Feb 1, 2021
View reviewed changes
oauthlib/openid/connect/core/grant_types/hybrid.py
@@ -35,6 +35,9 @@ def __init__(self, request_validator=None, **kwargs):
self.register_code_modifier(self.add_id_token)
self.register_token_modifier(self.add_id_token)

def add_id_token(self, token, token_handler, request):
return super().add_id_token(token, token_handler, request, nonce=request.nonce)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this nonce related to this? https://stackoverflow.com/questions/3690738/need-help-understanding-nonce

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, or better description is in the spec. Its used to prevent replay attacks, the client generates a random nonce and stores it in a session, and then compares the nonce in the response with the nonce in the session. If it is missing either in the session or the response, or does not match, the response is invalid.

Its a required parameter for the implicit flow, a sometimes required parameter for the hybrid flow and an optional parameter for authorization code flow.

Handling it, however, is not optional - if a nonce is presented in the authorization endpoint, it must be in the ID token or a client should reject the response as invalid.

@JonathanHuot
Copy link
Member

Hi @tevansuk , good catch ! However note that nonce is optional for "code token" in hybrid mode, as highlighted in

oauthlib/oauthlib/openid/connect/core/grant_types/base.py

Lines 115 to 123 in d54965b

# nonce is REQUIRED when response_type value is:
# - id_token token (Implicit)
# - id_token (Implicit)
# - code id_token (Hybrid)
# - code id_token token (Hybrid)
#
# nonce is OPTIONAL when response_type value is:
# - code (Authorization Code)
# - code token (Hybrid)
; however your code seems anyway using the right approach (using request.nonce will work even without value).

JonathanHuot
JonathanHuot reviewed Feb 2, 2021
View reviewed changes
Copy link
Member

@JonathanHuot JonathanHuot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tevansuk
Copy link
Contributor Author

tevansuk commented Feb 2, 2021

Thanks for the review!

I'm not sure that text is correct by the way. The spec says that it is an optional authentication request parameter in certain flows, and required in other flows, but it can be specified in all of them, and if it is used, the server must include it in the ID token, and clients must verify it - section 2 (ID Token)

If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used.

Then in section 3.3.2.11 (Hybrid Flow - ID Token):

nonce
Use of the nonce Claim is REQUIRED for this flow.

For "code token" of course, the id token is retrieved by the auth code flow grant handler, which handles it the same as a standard auth code, so it did already work correctly for that case!

@tevansuk
Use request.nonce when generating hybrid id token
707df8c 
Like with the implicit grant, we need to override add_id_token to pass
the nonce from the current request to GrantBase.add_id_token in order
for the ID token to have the correct nonce.

Add test that the nonce is in ID token from hybrid OIDC flow.

Fixes: oauthlib#746
@tevansuk tevansuk force-pushed the fix/pass-nonce-to-id-token-in-hybrid-flow branch from 9d16e1f to 707df8c Compare February 11, 2021 22:35
@auvipy auvipy merged commit 89162b8 into oauthlib:master Feb 12, 2021
@auvipy auvipy added this to the 3.1.1 milestone Feb 12, 2021
@tevansuk tevansuk deleted the fix/pass-nonce-to-id-token-in-hybrid-flow branch February 16, 2021 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JonathanHuot JonathanHuot JonathanHuot left review comments

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.1.1
Development

Successfully merging this pull request may close these issues.

OIDC Hybrid Flow - nonce not passed to add_id_token
3 participants
@tevansuk @JonathanHuot @auvipy