Allow empty nonce from ID Tokens issued from Refresh Tokens #509
Comments
|
Thank you for sharing your idea. Meanwhile, if you're interested in implementing it yourself, we also welcome pull requests. |
|
The standard is a bit fishy on this.
Disable is indeed the easy solution, but not necessary the correct one. If we want to be 100% correct we should verify the nonce against the original ID Token, if it was returned with the new ID token. So in case of Entra ID you could work-around the issue by constructing the RP with the |
|
The standard also says (Section 12.2)
My problem is according the standard, its compliant to omit the nonce claim, too. In this case, I need a verifier which accepts both: an empty string and the nonce claim from the original ID Token. In my case, I support any OIDC provider and I have different results from Entra ID. While on my test, the nonce is empty, other users experience that error that nonce is non-empty. Would it be an option to check the nonce only, if its non-empty? That would be 100% correct, because it says check nonce only, if present. |
jkroepke
changed the title
|
I also tried something like this: ctx = context.WithValue(ctx, types.CtxNonce{}, "value")
newTokens, err := rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
if errors.Is(err, oidc.ErrNonceInvalid) {
ctx = context.WithValue(ctx, types.CtxNonce{}, "")
newTokens, err = rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
}but it fails, if the Provider has a one time usage policy for refresh tokens. |
|
@muhlemmer what did you think about empty nonce value is fine on refresh? |
|
Sorry lost track of this issue. With the above arguments you gave I agree that we can allow an empty nonce. Do you want to send a PR for that? |
Its spec compliant. If you read (Section 12.2):
which I interpret: claims from refresh response should be empty/non present. If not empty, the values should be equal to the initial value. If you would agree here, I would open a PR |
|
Yes, I wrote I agree ;) |
|
I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature |
Preflight Checklist
Describe your problem
I have the issue that ID Token from Microsoft Entra ID issued via an Refresh Token may have a nonce claim. According to OIDC Spec, such token should not contain an nonce claim (The clarification on SPEC introduced 14 months ago; https://bitbucket.org/openid/connect/pull-requests/341)
The IDToken verifier includes an non optional claim which fails in my scenria, if I to a RefreshToken against Microsoft Entra ID I got this error:
Describe your ideal solution
Since ID Tokens request by an RefreshToken should not contains a nonce anyways (technically, it's not possible to define one from client site and its defined in SPEC), I prefer to disable the nonce validation in such cases.
Version
3.8.1
Environment
Self-hosted
Additional Context
I'm aware that Microsoft should fix the logic in Entra ID, but I feel this will not happen in next moths...
The text was updated successfully, but these errors were encountered: