From 42c527070bc6ecee584621847f92c3b863004f3c Mon Sep 17 00:00:00 2001 From: splaunov Date: Thu, 11 Jul 2024 13:54:56 +0300 Subject: [PATCH] fix: IDToken nonce should not be checked (PS-385) --- selfservice/strategy/oidc/strategy.go | 11 ++------ selfservice/strategy/oidc/strategy_login.go | 2 +- .../strategy/oidc/strategy_registration.go | 2 +- selfservice/strategy/oidc/strategy_test.go | 28 ------------------- 4 files changed, 4 insertions(+), 39 deletions(-) diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index 6515d06367ee..5392ec65502d 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -726,7 +726,7 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context, _ session. } } -func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) { +func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken string) (*Claims, error) { verifier, ok := provider.(IDTokenVerifier) if !ok { return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider)) @@ -750,14 +750,7 @@ func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provid // If the provider does not support nonces, we don't do validation and return the claim. // This case only applies to Apple, as some of their devices do not support nonces. // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple - } else if idTokenNonce == "" { - // A nonce was present in the JWT token, but no nonce was submitted in the flow - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider")) - } else if idTokenNonce != claims.Nonce { - // The nonce from the JWT token does not match the nonce from the flow. - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token")) - } - // Nonce checking was successful + } return claims, nil } diff --git a/selfservice/strategy/oidc/strategy_login.go b/selfservice/strategy/oidc/strategy_login.go index 42b948ec7c11..484ffbcfb7e5 100644 --- a/selfservice/strategy/oidc/strategy_login.go +++ b/selfservice/strategy/oidc/strategy_login.go @@ -238,7 +238,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, } if p.IDToken != "" { - claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce) + claims, err := s.processIDToken(w, r, provider, p.IDToken) if err != nil { return nil, s.handleError(w, r, f, pid, nil, err) } diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go index 124e8539f6ea..070554271806 100644 --- a/selfservice/strategy/oidc/strategy_registration.go +++ b/selfservice/strategy/oidc/strategy_registration.go @@ -196,7 +196,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat } if p.IDToken != "" { - claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce) + claims, err := s.processIDToken(w, r, provider, p.IDToken) if err != nil { return s.handleError(w, r, f, pid, nil, err) } diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go index 65c8f09b2e06..94c54bbba202 100644 --- a/selfservice/strategy/oidc/strategy_test.go +++ b/selfservice/strategy/oidc/strategy_test.go @@ -800,23 +800,6 @@ func TestStrategy(t *testing.T) { require.Equal(t, "No nonce was included in the id_token but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body) }, }, - { - name: "should fail if no nonce is supplied in request", - idToken: `{ - "iss": "https://appleid.apple.com", - "sub": "{{sub}}", - "nonce": "{{nonce}}" - }`, - v: func(provider, token, _ string) url.Values { - return url.Values{ - "id_token": {token}, - "provider": {provider}, - } - }, - expect: func(t *testing.T, res *http.Response, body []byte) { - require.Equal(t, "No nonce was provided but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body) - }, - }, { name: "should pass if claims are valid", idToken: `{ @@ -828,17 +811,6 @@ func TestStrategy(t *testing.T) { require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body) }, }, - { - name: "nonce mismatch", - idToken: `{ - "iss": "https://appleid.apple.com", - "sub": "{{sub}}", - "nonce": "random-nonce" - }`, - expect: func(t *testing.T, res *http.Response, body []byte) { - require.Equal(t, "The supplied nonce does not match the nonce from the id_token", gjson.GetBytes(body, "error.reason").String(), "%s", body) - }, - }, } { tc := tc t.Run(fmt.Sprintf("flow=registration/case=%s", tc.name), func(t *testing.T) {