New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specifying and validating nonce in auth code flow #173
Conversation
Suggestion, add functionality which combines the two steps into one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review!
Answering two high level questions here:
does this already do nonce validation?
return self.client.obtain_token_by_authorization_code(
The answer is yes. In fact we changed unit test case this time and ran test to confirm that. This PR is mainly about the public API surface change.
Suggestion, add functionality which combines the two steps into one?
We will, but not in this PR. Combining the two steps is essentially the other task in backlog of "providing acquire_token_interactive()".
And the 3rd question is answered below, inline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @rayluo for the efforts 👍
The
nonce
is a behavior defined in Open ID Connect.This PR adds a
nonce
parameter into theget_authorization_request_url(..., nonce=...)
so that it would be sent to Azure AD.This PR also adds a
nonce
parameter into theacquire_token_by_authorization_code(..., nonce=...)
so that this method will perform the nonce check on the returned id token, automatically. We test it here. By the way, validating nonce has been embedded in msal .net, although it happens implicitly when using public client application.