Can not disable verifyNonce when dealing with JWT claims

[bghenne]

Hello,

I'm calling an Open ID Connect which does not provide "nonce" into JWT claims inside the token.
Warning: Undefined property: stdClass::$nonce

This does give me an error inside OidcJwtHelper::verifyJwtClaims method as it's called through OidcClient::authenticate method without the possibility of specifying parameter verifyNonce to set it to false.

// Request and verify the tokens return $this->verifyTokens( $this->requestTokens('authorization_code', $code, $this->getRedirectUrl()) );

So I dag a little bit and tried to create my own client but was not able to make it replace the default one.

I must say that I'm not particularly familiar with security stuffs into Symfony.
Can you please tell me what I'm doing wrong ?

Thanks.
Benjamin.

PS : Please find attached my configuration files.
drenso_oidc.yaml.txt
security.yaml.txt

[bobvandevijver]

The issue you have is because this bundle currently requires the nonce to be used and returned by the IdP. Replacing the complete client should be possible using the Symfony container by replacing the service id, but it is probably a lot easier to add an option to this bundle to disable the nonce completely. Would you be open to create a PR for that?

[bghenne]

There you have : #30

Thank you.

[bobvandevijver]

Closed with #30.