0.13 throws away oidc nonce provided by the application #180

ThiefMaster · 2020-01-14T16:53:38Z

See this snippet here:

authlib/authlib/integrations/_client/base_app.py

Lines 189 to 193 in 3834a2a

    
           if scope and scope.startswith('openid'): 
        
               # this is an OpenID Connect service 
        
               nonce = generate_token(20) 
        
               kwargs['nonce'] = nonce 
        
               rv['nonce'] = nonce

This is called from RemoteApp.create_authorization_url which is called by RemoteApp.authorize_redirect which is called by my application (I'm not using the registry).

So if I pass my own nonce (which I'm storing in the session myself) it gets overwritten, so when I try to parse the id token later it fails of course. I fixed it in my app like this but it feels extremely ugly.

So it would be nice if:

no new nonce was generated if the caller already provided one
there was an api to access the session data without popping it and without using internal apis (_get_session_data); using retrieve_access_token_params just to get the nonce would be pretty inappropriate since it does much more
there was a proper OIDC client built-in in addition to the standard OAuth2 client ;)

The text was updated successfully, but these errors were encountered:

#180

lepture · 2020-02-11T14:14:56Z

Fixed in v0.14

ThiefMaster added the bug label Jan 14, 2020

ThiefMaster assigned lepture Jan 14, 2020

lepture added a commit that referenced this issue Feb 11, 2020

Allow custom nonce for openid request

0d3e025

#180

lepture closed this as completed Feb 11, 2020

0.13 throws away oidc nonce provided by the application #180

0.13 throws away oidc nonce provided by the application #180

ThiefMaster commented Jan 14, 2020

lepture commented Feb 11, 2020

0.13 throws away oidc nonce provided by the application #180

0.13 throws away oidc nonce provided by the application #180

Comments

ThiefMaster commented Jan 14, 2020

lepture commented Feb 11, 2020