feat: generate nounce for id_token response type (#298)

lib/schemes/oauth2.js

@@ -1,4 +1,5 @@
 import { encodeQuery, parseQuery, randomString } from '../utilities'
+import nanoid from 'nanoid'
 
 const DEFAULTS = {
   token_type: 'Bearer',
@@ -80,6 +81,15 @@ export default class Oauth2Scheme {
       opts.audience = this.options.audience
     }
 
+    // Set Nonce Value if response_type contains id_token to mitigate Replay Attacks
+    // More Info: https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+    // More Info: https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-06#section-4.6.2
+    if (opts.response_type.includes('id_token')) {
+      // nanoid auto-generates an URL Friendly, unique Cryptographic string
+      // Recommended by Auth0 on https://auth0.com/docs/api-auth/tutorials/nonce
+      opts.nonce = nanoid()
+    }
+
     this.$auth.$storage.setLocalStorage(this.name + '.state', opts.state)
 
     const url = this.options.authorization_endpoint + '?' + encodeQuery(opts)

package.json

@@ -47,7 +47,8 @@
     "cookie": "^0.3.1",
     "dotprop": "^1.0.2",
     "js-cookie": "^2.2.0",
-    "lodash": "^4.17.11"
+    "lodash": "^4.17.11",
+    "nanoid": "^2.0.1"
   },
   "devDependencies": {
     "@nuxtjs/toast": "^3.0.2",

yarn.lock

@@ -6425,6 +6425,11 @@ nan@^2.9.2:
   resolved "https://registry.yarnpkg.com/nan/-/nan-2.12.1.tgz#7b1aa193e9aa86057e3c7bbd0ac448e770925552"
   integrity sha512-JY7V6lRkStKcKTvHO5NVSQRv+RV+FIL5pvDoLiAtSL9pKlC5x9PKQcZDsq7m4FO4d57mkhC6Z+QhAh3Jdk5JFw==
 
+nanoid@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-2.0.1.tgz#deb55cac196e3f138071911dabbc3726eb048864"
+  integrity sha512-k1u2uemjIGsn25zmujKnotgniC/gxQ9sdegdezeDiKdkDW56THUMqlz3urndKCXJxA6yPzSZbXx/QCMe/pxqsA==
+
 nanomatch@^1.2.9:
   version "1.2.13"
   resolved "https://registry.yarnpkg.com/nanomatch/-/nanomatch-1.2.13.tgz#b87a8aa4fc0de8fe6be88895b38983ff265bd119"