Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix nonce validation #25

Merged
merged 1 commit into from
Sep 30, 2024
Merged

Fix nonce validation #25

merged 1 commit into from
Sep 30, 2024

Conversation

timhallmann
Copy link

Require a valid nonce if the request contained one.

@timhallmann
Fix nonce validation
7bb13f5 
Require a valid nonce if the request contained one.
@lilioid lilioid self-requested a review September 27, 2024 08:43
lilioid
lilioid requested changes Sep 30, 2024
View reviewed changes
Copy link
Member

@lilioid lilioid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The specification calls for us to do this validation:

If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.

The way I interpret this is that if there is a nonce present in the token, we MUST validate it. This means that not passing a nonce to validate_extern() should produce an error.

I'd be open to adding an additional error message for this specific case or rewording the existing one to be more clear though.

@timhallmann
Copy link
Author

timhallmann commented Sep 30, 2024
edited
Loading

We must validate the nonce if one was sent in the Authentication Request (not necessarily the Token Response / ID Token). That's what my patch enforces: If the caller passes a nonce to validate_extern, we'll check the nonce in the ID token. We do not permit an ID token to skip this check by not including a nonce.

Furthermore, if the ID token contains a nonce, but the caller does not pass one to validate_extern, we'll validate anyway and fail, thereby matching the old behavior. AFAIK, this is undefined behavior - but a conforming OP is not supposed to add a nonce on a whim, so it should be fine to be strict.

@lilioid
Copy link
Member

lilioid commented Sep 30, 2024

I see. Thanks for taking the time to explain it :)

@lilioid lilioid merged commit 76ae516 into fsinfuhh:main Sep 30, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lilioid lilioid lilioid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timhallmann @lilioid