Use request.nonce when generating hybrid id token

Like with the implicit grant, we need to override add_id_token to pass the nonce from the current request to GrantBase.add_id_token in order for the ID token to have the correct nonce. Add test that the nonce is in ID token from hybrid OIDC flow. Fixes: #746
oauthlib · Feb 12, 2021 · 89162b8 · 89162b8
1 parent 637c894
commit 89162b8
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -29,3 +29,4 @@ Brendan McCollam
 Jonathan Huot
 Pieter Ennes
 Olaf Conradi
+Tom Evans
diff --git a/oauthlib/openid/connect/core/grant_types/hybrid.py b/oauthlib/openid/connect/core/grant_types/hybrid.py
@@ -35,6 +35,9 @@ def __init__(self, request_validator=None, **kwargs):
         self.register_code_modifier(self.add_id_token)
         self.register_token_modifier(self.add_id_token)
 
+    def add_id_token(self, token, token_handler, request):
+        return super().add_id_token(token, token_handler, request, nonce=request.nonce)
+
     def openid_authorization_validator(self, request):
         """Additional validation when following the Authorization Code flow.
         """

diff --git a/tests/openid/connect/core/grant_types/test_hybrid.py b/tests/openid/connect/core/grant_types/test_hybrid.py
@@ -67,6 +67,15 @@ def test_required_nonce(self, generate_token):
         self.assertIsNone(b)
         self.assertEqual(s, 302)
 
+    def test_id_token_contains_nonce(self):
+        token = {}
+        self.mock_validator.get_id_token.side_effect = None
+        self.mock_validator.get_id_token.return_value = None
+        token = self.auth.add_id_token(token, None, self.request)
+        assert self.mock_validator.finalize_id_token.call_count == 1
+        claims = self.mock_validator.finalize_id_token.call_args[0][0]
+        assert "nonce" in claims
+
 
 class OpenIDHybridCodeIdTokenTokenTest(OpenIDAuthCodeTest):