Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for a nonce #17

Merged
merged 3 commits into from
Jun 17, 2024
Merged

Adding support for a nonce #17

merged 3 commits into from
Jun 17, 2024

Conversation

moufmouf
Copy link
Collaborator

According to the OpenID connect spec:

nonce
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case-sensitive string.

Right now, if a client passes a "nounce", we don't give it back and
the client fails. This is happening to me right now with the client
from Matrix Synapse.

Here, I'm creating a new service (CurrentRequestService).
With this new service, I can get the current PSR-7 request.

I extend the AuthCodeGrant and inject this service into the extended class.
With this, I can:

  • read the "nonce" from the request
  • encode the "nonce" in the "code"

Then, in the IdTokenResponse, I read the "code" (if it is present),
extract the "nounce" and inject it in the ID token as a new claim.

The whole process is inspired by this comment: steverhoades/oauth2-openid-connect-server#47 (comment)

With those changes, nounce is correctly handled and I've successfully
tested a connection with the OpenID client from Matrix Synapse.

This PR is built on top of #16

@moufmouf moufmouf mentioned this pull request Jan 19, 2024
Closed
@moufmouf moufmouf mentioned this pull request Jan 24, 2024
Merged
@GewoonYorick GewoonYorick mentioned this pull request Apr 24, 2024
Merged
@moufmouf moufmouf mentioned this pull request Apr 25, 2024
Closed
@moufmouf moufmouf force-pushed the nonce branch 2 times, most recently from 815b202 to 9aabf8c Compare June 17, 2024 10:11
@moufmouf
Adding support for a nonce
688a72d 
According to the OpenID connect spec:

> nonce
> String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case-sensitive string.

Right now, if a client passes a "nounce", we don't give it back and
the client fails. This is happening to me right now with the client
from Matrix Synapse.

Here, I'm creating a new service (`CurrentRequestService`).
With this new service, I can get the current PSR-7 request.

I extend the AuthCodeGrant and inject this service into the extended class.
With this, I can:

- read the "nonce" from the request
- encode the "nonce" in the "code"

Then, in the `IdTokenResponse`, I read the "code" (if it is present),
extract the "nounce" and inject it in the ID token as a new claim.

The whole process is inspired by this comment: steverhoades/oauth2-openid-connect-server#47 (comment)

With those changes, nounce is correctly handled and I've successfully
tested a connection with the OpenID client from Matrix Synapse.
moufmouf added 2 commits June 17, 2024 12:15
@moufmouf
Changing the way Github Workflows are triggered
9713bbe 
Now, starting a workflow attached to a PR.
This way, when opening a PR, the workflow is visible in Github UI
@moufmouf
Applying ECS fixes
a20bdd1
@moufmouf
Copy link
Collaborator Author

Hey @ronvanderheijden ,

Following your last review (and the fact I broke CI), I realized that the CI checks were not visible when making a PR from a fork. I slightly changed the configuration of the CI to be sure that when a PR is open, Github actions are run (and are visible in the PR).

So long story short, the CI is now ok! Let's merge this!

@moufmouf moufmouf merged commit 16f2c2e into ronvanderheijden:main Jun 17, 2024
4 checks passed
@moufmouf moufmouf deleted the nonce branch June 17, 2024 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarthLegiON DarthLegiON DarthLegiON approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@moufmouf @DarthLegiON