Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oauth2): make nonce settable when response_type includes 'token' #709

Merged
merged 1 commit into from
Jan 23, 2021
Merged

feat(oauth2): make nonce settable when response_type includes 'token' #709

merged 1 commit into from
Jan 23, 2021

Conversation

gagandeep
Copy link
Contributor

Keycloak required nonce for response_type=token but there was no way I was able to set nonce.

@gagandeep gagandeep changed the title Making nonce settable even response_type is not equal to 'id_token' Making nonce settable even for response_type not equal to 'id_token' May 29, 2020
@gagandeep gagandeep changed the title Making nonce settable even for response_type not equal to 'id_token' Making nonce settable even if response_type is not equal to 'id_token' May 29, 2020
@gagandeep
Copy link
Contributor Author

@pi0 & @JoaoPedroAS51 Please review this.

@jkupcho
Copy link

jkupcho commented Jun 15, 2020

You can enforce a nonce being sent by setting the response_type to id_token.

See:
https://github.com/nuxt-community/auth-module/blob/v4.9.1/lib/schemes/oauth2.js#L106

@gagandeep
Copy link
Contributor Author

gagandeep commented Jun 16, 2020
edited
Loading

@jkupcho I agree with you. But, If I need to set nonce without id_token like in my case. It was not possible since it is a programmatic flaw.

we are extracting nonce from params in https://github.com/nuxt-community/auth-module/blob/v4.9.1/lib/schemes/oauth2.js#L82

However, we are setting nonce only if response_type is id_token as you pointed out.

My expectation was setting nonce through params however because of above-explained logic nonce cannot be set through params unless response_type is id_token.

Let me know, if you agree with me or not.

@jkupcho
Copy link

jkupcho commented Jun 20, 2020

Yeah I think that makes sense. Are you seeing flows where the nonce is necessary outside of id_token?

@gagandeep
Copy link
Contributor Author

Keycloak has nonce enabled for token also. Default value of nonce usage in Keycloak is true.

useNonce - Adds a cryptographic nonce to verify that the authentication response matches the request (default is true).
https://www.keycloak.org/docs/latest/securing_apps/#methods

JoaoPedroAS51
JoaoPedroAS51 requested changes Dec 18, 2020
View reviewed changes
Copy link
Collaborator

@JoaoPedroAS51 JoaoPedroAS51 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @gagandeep! I'm so sorry for the delay. Thank you for your PR! Nice work 😃

Just left a comment :)

src/schemes/oauth2.ts Outdated Show resolved Hide resolved
@gagandeep @JoaoPedroAS51
feat: make nonce settable when response_type includes 'token'
57b9721 
Co-authored-by: João Pedro Antunes Silva <joao-pedroas@hotmail.com>
@JoaoPedroAS51 JoaoPedroAS51 changed the title Making nonce settable even if response_type is not equal to 'id_token' feat: make nonce settable when response_type includes 'token' Jan 23, 2021
@JoaoPedroAS51 JoaoPedroAS51 changed the title feat: make nonce settable when response_type includes 'token' feat(oauth2): make nonce settable when response_type includes 'token' Jan 23, 2021
@JoaoPedroAS51 JoaoPedroAS51 merged commit 92eabbd into nuxt-community:dev Jan 23, 2021
@Intevel Intevel mentioned this pull request Jan 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoaoPedroAS51 JoaoPedroAS51 JoaoPedroAS51 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gagandeep @jkupcho @JoaoPedroAS51