openid incompatible nonce implemention (hostUI aws-amplify-identity-broker difference) #127
Comments
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
using cognito hostUI you can get nonce in IdToken.
while aws-amplify-identity-broker you can't
※Pre Token Generation trigger cant override nonce and Pre Token trigger cant receive ClientMetadata
https://openid.net/specs/openid-connect-core-1_0.html
2. ID Token
nonce
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
refs:
https://forums.aws.amazon.com/thread.jspa?threadID=303757
https://forums.aws.amazon.com/thread.jspa?threadID=335887
https://forums.aws.amazon.com/thread.jspa?threadID=305965
The text was updated successfully, but these errors were encountered: