Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding nonce to OIDC Authentication Request #4442

Closed
jgrandja opened this issue Jul 7, 2017 · 10 comments
Closed

Consider adding nonce to OIDC Authentication Request #4442

jgrandja opened this issue Jul 7, 2017 · 10 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0

Comments

@jgrandja
Copy link
Contributor

jgrandja commented Jul 7, 2017
edited
Loading

Related sections in spec:

3.1.2.1. Authentication Request
15.5.2. Nonce Implementation Notes
3.1.3.7. ID Token Validation
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) OIDC labels Jul 7, 2017
@jgrandja jgrandja added this to the 5.0.0.M3 milestone Jul 7, 2017
@jgrandja jgrandja self-assigned this Jul 7, 2017
@jgrandja jgrandja changed the title Add nonce to Authentication Request Consider adding nonce to Authentication Request Jul 7, 2017
@jgrandja jgrandja modified the milestones: 5.0.0.M3, 5.0.0.M4 Jul 24, 2017
@jgrandja jgrandja mentioned this issue Aug 15, 2017
Closed
28 tasks
@rwinch rwinch modified the milestones: 5.0.0.M4, 5.0.0.M5 Sep 13, 2017
@rwinch rwinch modified the milestones: 5.0.0.M5, 5.0.0.RC1 Oct 3, 2017
shazin added a commit to shazin/spring-security that referenced this issue Oct 13, 2017
@shazin
Adding nonce to Authentication Request spring-projects#4442
77db241
@shazin shazin mentioned this issue Oct 13, 2017
Closed
shazin added a commit to shazin/spring-security that referenced this issue Oct 13, 2017
@shazin
Adding nonce to Authentication Request spring-projects#4442
6fcc745
@shazin shazin mentioned this issue Oct 13, 2017
Closed
@jgrandja jgrandja mentioned this issue Oct 26, 2017
Closed
@jgrandja
Copy link
Contributor Author

Related #4440 - Validate nonce as part of ID Token Validation

@rwinch rwinch modified the milestones: 5.0.0.RC1, 5.0.0 Oct 30, 2017
@jgrandja jgrandja removed this from the 5.0.0 milestone Nov 7, 2017
@jgrandja jgrandja added this to the 5.0.1 milestone Dec 12, 2017
@jgrandja
Copy link
Contributor Author

The nonce generated by the client during the Authentication Request needs to be stored temporarily so that it can be validated during ID Token Validation. Given these storage requirements, moving this issue to 5.1

@jgrandja jgrandja modified the milestones: 5.0.1, 5.1.0.M1 Jan 15, 2018
@jgrandja
Copy link
Contributor Author

Given the 15.5.2. Nonce Implementation Notes, here is a proposed implementation:

Generate nonce for Authentication Request

  • Concatenate the attributes contained in OAuth2AuthorizationRequest along with the HttpSession.id and hash this to produce the nonce.

Validate nonce during ID Token Validation

  • Use the same strategy as per above to generate the nonce value by hashing the concatenation of the attributes contained in OAuth2AuthorizationRequest along with the HttpSession.id. Compare this generated nonce with the nonce in the ID Token for verification.

Given this implementation, we may not need a separate storage facility for the nonce value as it can be deduced from the HttpSession.id and OAuth2AuthorizationRequest which is stored in the AuthorizationRequestRepository.

@jgrandja jgrandja modified the milestones: 5.1.0.M1, 5.1.0.RC1 Jan 30, 2018
@bssaini001
Copy link

Will this feature make up for next month release ? Thanks Bhupinder

@jgrandja
Copy link
Contributor Author

jgrandja commented Mar 9, 2018

It is planned for the 5.1 release. I'm working on other priorities at the moment but we will get to this.

@jgrandja jgrandja removed this from the 5.1.0.M2 milestone Jul 24, 2018
@jgrandja jgrandja removed their assignment Nov 20, 2018
@jgrandja jgrandja added this to the General Backlog milestone Nov 20, 2018
@caesterlein caesterlein mentioned this issue Dec 18, 2018
Merged
@forgo
Copy link

forgo commented Jan 10, 2019

@jgrandja Was this implemented?

@jgrandja
Copy link
Contributor Author

@forgo No not yet. Other items have taken priority so far.

@rwinch rwinch changed the title Consider adding nonce to Authentication Request Consider adding nonce to OAuth2 Authentication Request Jan 14, 2019
@rwinch rwinch removed the OIDC label May 3, 2019
@mkheck
Copy link
Contributor

mkheck commented May 16, 2019

Hey @jgrandja, I'll take this one on.

@mkheck mkheck mentioned this issue Sep 2, 2019
Closed
mkheck added a commit to mkheck/spring-security that referenced this issue Sep 7, 2019
@mkheck
gh4442 spring-projects#4442 Added nonce to OAuth2 Authentication Requ…
8ca42a4 
…est, also added comparison+verification in IdToken
mkheck added a commit to mkheck/spring-security that referenced this issue Sep 7, 2019
@mkheck
Github issue 4442 (spring-projects#4442) completion, with follow-on i…
68c1cbf 
…ssue to be discussed w/team
mkheck added a commit to mkheck/spring-security that referenced this issue Sep 9, 2019
@mkheck
Reworked spring-projectsgh-4442 per feedback from Joe Grandja
ab39bd4
mkheck added a commit to mkheck/spring-security that referenced this issue Sep 11, 2019
@mkheck
Added nonce creation, verification, & handling
595ab60 
Implements nonce functionality for OpenID Connect
authentication request in OAuth2 Authorization Code flow.
This includes the following capabilities:

* Generate nonce

* Generate hash of nonce

* Add nonce to attributes and hash to additional
parameters of authentication request

* Propagate hash to authentication response

* Verify hash upon receipt of response by hashing
original nonce

* Complete all relevant tests

Fixes/implements spring-projectsgh-4442
mkheck added a commit to mkheck/spring-security that referenced this issue Sep 20, 2019
@mkheck
Resolves requested changes to PR for spring-projectsgh-4442
3441389 
Made changes requested by Joe Grandja to PR, including addition of test
when nonce isn't present in request.

Fixes spring-projectsgh-4442 and addresses changes requested to PR
@jgrandja jgrandja self-assigned this Sep 23, 2019
@jgrandja jgrandja added the type: enhancement A general enhancement label Sep 23, 2019
@jgrandja jgrandja modified the milestones: General Backlog, 5.2.0 Sep 23, 2019
@jgrandja jgrandja changed the title Consider adding nonce to OAuth2 Authentication Request Consider adding nonce to OIDC Authentication Request Sep 23, 2019
jgrandja added a commit that referenced this issue Sep 26, 2019
@jgrandja
Polish gh-4442
d3b7a47
@hejianchao
Copy link

Is there a switch to turn off the nonce?

@jgrandja
Copy link
Contributor Author

jgrandja commented Dec 3, 2019

@hejianchao No there isn't a setting/property available to turn it off. Are you having issues with it? Why do you want it disabled?

@hejianchao hejianchao mentioned this issue Dec 4, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0
Development

No branches or pull requests
6 participants
@rwinch @bssaini001 @mkheck @hejianchao @forgo @jgrandja