fix: do not include nonce in ID tokens when not used (#570)

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>

token/jwt/claims_id_token.go

@@ -59,7 +59,7 @@ func (c *IDTokenClaims) ToMap() map[string]interface{} {
 		ret["aud"] = []string{}
 	}
 
-	if len(c.Nonce) >= 0 {
+	if len(c.Nonce) > 0 {
 		ret["nonce"] = c.Nonce
 	}
 

token/jwt/claims_id_token_test.go

@@ -30,25 +30,6 @@ import (
 	. "github.com/ory/fosite/token/jwt"
 )
 
-var idTokenClaims = &IDTokenClaims{
-	JTI:                                 "foo-id",
-	Subject:                             "peter",
-	IssuedAt:                            time.Now().UTC().Round(time.Second),
-	Issuer:                              "fosite",
-	Audience:                            []string{"tests"},
-	ExpiresAt:                           time.Now().UTC().Add(time.Hour).Round(time.Second),
-	AuthTime:                            time.Now().UTC(),
-	RequestedAt:                         time.Now().UTC(),
-	AccessTokenHash:                     "foobar",
-	CodeHash:                            "barfoo",
-	AuthenticationContextClassReference: "acr",
-	AuthenticationMethodsReference:      "amr",
-	Extra: map[string]interface{}{
-		"foo": "bar",
-		"baz": "bar",
-	},
-}
-
 func TestIDTokenAssert(t *testing.T) {
 	assert.NoError(t, (&IDTokenClaims{ExpiresAt: time.Now().UTC().Add(time.Hour)}).
 		ToMapClaims().Valid())
@@ -59,14 +40,31 @@ func TestIDTokenAssert(t *testing.T) {
 }
 
 func TestIDTokenClaimsToMap(t *testing.T) {
+	idTokenClaims := &IDTokenClaims{
+		JTI:                                 "foo-id",
+		Subject:                             "peter",
+		IssuedAt:                            time.Now().UTC().Round(time.Second),
+		Issuer:                              "fosite",
+		Audience:                            []string{"tests"},
+		ExpiresAt:                           time.Now().UTC().Add(time.Hour).Round(time.Second),
+		AuthTime:                            time.Now().UTC(),
+		RequestedAt:                         time.Now().UTC(),
+		AccessTokenHash:                     "foobar",
+		CodeHash:                            "barfoo",
+		AuthenticationContextClassReference: "acr",
+		AuthenticationMethodsReference:      "amr",
+		Extra: map[string]interface{}{
+			"foo": "bar",
+			"baz": "bar",
+		},
+	}
 	assert.Equal(t, map[string]interface{}{
 		"jti":       idTokenClaims.JTI,
 		"sub":       idTokenClaims.Subject,
 		"iat":       float64(idTokenClaims.IssuedAt.Unix()),
 		"rat":       float64(idTokenClaims.RequestedAt.Unix()),
 		"iss":       idTokenClaims.Issuer,
 		"aud":       idTokenClaims.Audience,
-		"nonce":     idTokenClaims.Nonce,
 		"exp":       float64(idTokenClaims.ExpiresAt.Unix()),
 		"foo":       idTokenClaims.Extra["foo"],
 		"baz":       idTokenClaims.Extra["baz"],
@@ -76,4 +74,23 @@ func TestIDTokenClaimsToMap(t *testing.T) {
 		"acr":       idTokenClaims.AuthenticationContextClassReference,
 		"amr":       idTokenClaims.AuthenticationMethodsReference,
 	}, idTokenClaims.ToMap())
+
+	idTokenClaims.Nonce = "foobar"
+	assert.Equal(t, map[string]interface{}{
+		"jti":       idTokenClaims.JTI,
+		"sub":       idTokenClaims.Subject,
+		"iat":       float64(idTokenClaims.IssuedAt.Unix()),
+		"rat":       float64(idTokenClaims.RequestedAt.Unix()),
+		"iss":       idTokenClaims.Issuer,
+		"aud":       idTokenClaims.Audience,
+		"exp":       float64(idTokenClaims.ExpiresAt.Unix()),
+		"foo":       idTokenClaims.Extra["foo"],
+		"baz":       idTokenClaims.Extra["baz"],
+		"at_hash":   idTokenClaims.AccessTokenHash,
+		"c_hash":    idTokenClaims.CodeHash,
+		"auth_time": idTokenClaims.AuthTime.Unix(),
+		"acr":       idTokenClaims.AuthenticationContextClassReference,
+		"amr":       idTokenClaims.AuthenticationMethodsReference,
+		"nonce":     idTokenClaims.Nonce,
+	}, idTokenClaims.ToMap())
 }