ory · HenryTabima · Jul 2, 2024 · Jul 3, 2024
@@ -474,6 +474,9 @@
           "format": "uri",
           "examples": ["https://accounts.google.com"]
         },
+        "require_nonce": {
+          "type": "boolean"
+        },
         "auth_url": {
           "type": "string",
           "format": "uri",

@@ -535,6 +535,9 @@
             "https://accounts.google.com"
           ]
         },
+        "require_nonce": {
+          "type": "boolean"
+        },
         "auth_url": {
           "type": "string",
           "format": "uri",

@@ -12,7 +12,6 @@
 	"net/url"
 	"time"
 
-	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v4"
 
 	"github.com/pkg/errors"
@@ -35,7 +34,6 @@
 			config: config,
 			reg:    reg,
 		},
-		JWKSUrl: "https://appleid.apple.com/auth/keys",
 	}
 }
 
@@ -154,15 +152,8 @@

 var _ IDTokenVerifier = new(ProviderApple)
 
 const issuerUrlApple = "https://appleid.apple.com"
 
-func (a *ProviderApple) Verify(ctx context.Context, rawIDToken string) (*Claims, error) {
-	keySet := oidc.NewRemoteKeySet(ctx, a.JWKSUrl)
-
-	ctx = oidc.ClientContext(ctx, a.reg.HTTPClient(ctx).HTTPClient)
-	return verifyToken(ctx, keySet, a.config, rawIDToken, issuerUrlApple)
-}
-
 var _ NonceValidationSkipper = new(ProviderApple)
 
 func (a *ProviderApple) CanSkipNonce(c *Claims) bool {

@@ -54,6 +54,9 @@ type Configuration struct {
 	// If set, neither `auth_url` nor `token_url` are required.
 	IssuerURL string `json:"issuer_url"`
 
+	// For ID token validation, determines if nonce validation is required. Not all providers support nonce.
+	RequireNonce bool `json:"require_nonce"`
+
 	// AuthURL is the authorize url, typically something like: https://example.org/oauth2/auth
 	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
 	// `provider` is set to `generic`.

@@ -58,6 +58,17 @@ func (g *ProviderGenericOIDC) provider(ctx context.Context) (*gooidc.Provider, e
 	return g.p, nil
 }
 
+func getJWKSURL(provider *gooidc.Provider) (string, error) {
+	var claims struct {
+		JWKSURL string `json:"jwks_uri"`
+	}
+
+	if err := provider.Claims(&claims); err != nil {
+		return "", err
+	}
+	return claims.JWKSURL, nil
+}
+
 func (g *ProviderGenericOIDC) oauth2ConfigFromEndpoint(ctx context.Context, endpoint oauth2.Endpoint) *oauth2.Config {
 	scope := g.config.Scope
 	if !stringslice.Has(scope, gooidc.ScopeOpenID) {
@@ -214,3 +225,24 @@ func (g *ProviderGenericOIDC) verifiedIDToken(ctx context.Context, exchange *oau
 
 	return token, nil
 }
+
+var _ IDTokenVerifier = new(ProviderGenericOIDC)
+
+func (p *ProviderGenericOIDC) Verify(ctx context.Context, rawIDToken string) (*Claims, error) {
+	provider, _ := p.provider(ctx)
+	jwksURL, _ := getJWKSURL(provider)
+	keySet := gooidc.NewRemoteKeySet(ctx, jwksURL)
+	ctx = gooidc.ClientContext(ctx, p.reg.HTTPClient(ctx).HTTPClient)
+	return verifyToken(ctx, keySet, p.config, rawIDToken, p.config.IssuerURL)
+}
+
+var _ NonceValidationSkipper = new(ProviderGenericOIDC)
+
+func (a *ProviderGenericOIDC) CanSkipNonce(c *Claims) bool {
+	if a.config.RequireNonce {
+		return false
+	}
+
+	// Not all SDKs support nonce validation, so we skip it if no nonce is present in the claims of the ID Token.
+	return c.Nonce == ""
+}
@@ -27,7 +27,6 @@
 			config: config,
 			reg:    reg,
 		},
-		JWKSUrl: "https://www.googleapis.com/oauth2/v3/certs",
 	}
 }
 
@@ -71,14 +70,8 @@

 var _ IDTokenVerifier = new(ProviderGoogle)
 
 const issuerUrlGoogle = "https://accounts.google.com"
 
-func (p *ProviderGoogle) Verify(ctx context.Context, rawIDToken string) (*Claims, error) {
-	keySet := gooidc.NewRemoteKeySet(ctx, p.JWKSUrl)
-	ctx = gooidc.ClientContext(ctx, p.reg.HTTPClient(ctx).HTTPClient)
-	return verifyToken(ctx, keySet, p.config, rawIDToken, issuerUrlGoogle)
-}
-
 var _ NonceValidationSkipper = new(ProviderGoogle)
 
 func (a *ProviderGoogle) CanSkipNonce(c *Claims) bool {