Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: IDToken nonce should not be checked (PS-385) #3994

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 2 additions & 9 deletions selfservice/strategy/oidc/strategy.go
Original file line number Diff line number Diff line change
Expand Up @@ -726,7 +726,7 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context, _ session.
}
}

func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) {
func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken string) (*Claims, error) {
verifier, ok := provider.(IDTokenVerifier)
if !ok {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider))
Expand All @@ -750,14 +750,7 @@ func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provid
// If the provider does not support nonces, we don't do validation and return the claim.
// This case only applies to Apple, as some of their devices do not support nonces.
// https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
} else if idTokenNonce == "" {
// A nonce was present in the JWT token, but no nonce was submitted in the flow
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider"))
} else if idTokenNonce != claims.Nonce {
// The nonce from the JWT token does not match the nonce from the flow.
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token"))
}
// Nonce checking was successful
}

return claims, nil
}
Expand Down
2 changes: 1 addition & 1 deletion selfservice/strategy/oidc/strategy_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
}

if p.IDToken != "" {
claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce)
claims, err := s.processIDToken(w, r, provider, p.IDToken)
if err != nil {
return nil, s.handleError(w, r, f, pid, nil, err)
}
Expand Down
2 changes: 1 addition & 1 deletion selfservice/strategy/oidc/strategy_registration.go
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat
}

if p.IDToken != "" {
claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce)
claims, err := s.processIDToken(w, r, provider, p.IDToken)
if err != nil {
return s.handleError(w, r, f, pid, nil, err)
}
Expand Down
28 changes: 0 additions & 28 deletions selfservice/strategy/oidc/strategy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -800,23 +800,6 @@ func TestStrategy(t *testing.T) {
require.Equal(t, "No nonce was included in the id_token but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
},
},
{
name: "should fail if no nonce is supplied in request",
idToken: `{
"iss": "https://appleid.apple.com",
"sub": "{{sub}}",
"nonce": "{{nonce}}"
}`,
v: func(provider, token, _ string) url.Values {
return url.Values{
"id_token": {token},
"provider": {provider},
}
},
expect: func(t *testing.T, res *http.Response, body []byte) {
require.Equal(t, "No nonce was provided but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
},
},
{
name: "should pass if claims are valid",
idToken: `{
Expand All @@ -828,17 +811,6 @@ func TestStrategy(t *testing.T) {
require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body)
},
},
{
name: "nonce mismatch",
idToken: `{
"iss": "https://appleid.apple.com",
"sub": "{{sub}}",
"nonce": "random-nonce"
}`,
expect: func(t *testing.T, res *http.Response, body []byte) {
require.Equal(t, "The supplied nonce does not match the nonce from the id_token", gjson.GetBytes(body, "error.reason").String(), "%s", body)
},
},
} {
tc := tc
t.Run(fmt.Sprintf("flow=registration/case=%s", tc.name), func(t *testing.T) {
Expand Down
Loading