-
-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass through nonce in code flow #481
Conversation
How come the tests did pass before that? This implies we're missing coverage for a code branch where nonces are not present. |
Reopening accidental close... |
|
@wiliamsouza It's always been optional in code flow, but should still be included if present. |
With missing tests LGTM |
@@ -307,6 +307,7 @@ def openid_authorization_validator(self, request): | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: Add the following text to method doc string:
+ nonce
+ OPTIONAL. String value used to associate a Client session with an
+ ID Token, and to mitigate replay attacks. The value is passed
+ through unmodified from the Authentication Request to the ID Token.
+ Sufficient entropy MUST be present in the nonce values used to
+ prevent attackers from guessing values
@thedrow Something like this 13c6cf5? Also, should the other OIDC params end up as credentials as well? If so, then can add them in similar way. |
@skion Can you please rebase this branch? |
I think I did not spot Rebased! |
Frankly I'm not familiar with OpenID as much as OAuth2 to tell you yes or no. Up to you. |
Nonces are optional in
authorization_code
flow, but still should be passed through if the RP provided one.Also the claims parameter appeared to be processed twice.