Add nonce to OIDC Authentication Request

[mkheck]

This is a PR for gh-4442: Consider adding nonce to OAuth2 Authentication Request (#4442).

I've coded the implementation & tests for creating+passing+verifying the nonce in the ID token, and all tests pass (with the exception of the one that wasn't passing in the codebase before).

I would like to open a follow-on request to push some optimizing changes out a bit further.
I'm getting everything I need within the OidcIdTokenValidator by retrieving the nonce via claims, but it would be cleaner to change from dealing with Jwt to dealing with OIdcIdTokens instead. But that would necessitate reaching into & reworking DefaultOidcIdTokenValidatorFactory (& of course tests associated, etc.) and everything that touches. And it touches quite a lot.

In short, this all works, so I believe the issue to be feature complete. But I would like to extend further changes to present a more specific solution throughout.

[jgrandja]

@mkheck Thanks for the PR! I left a couple of comments for you. Also, can you please rebase off master and squash commits to one and than force push. Please ensure you do fast-forward merges as we use this git process. Thanks!

[jgrandja]

@mkheck I've been thinking about whether the nonce validation should happen in OidcIdTokenValidator or OidcAuthorizationCodeAuthenticationProvider. Although it seems natural that it should happen in OidcIdTokenValidator, there are some challenges with that since either nonce should be passed in via the constructor, as you have it:

public OidcIdTokenValidator(ClientRegistration clientRegistration, String nonce)

which is not ideal since we would have to create a new OidcIdTokenValidator per request since the specific nonce is request specific.

The other solution is to implement the validation check in OidcAuthorizationCodeAuthenticationProvider, which would work well since we have access to the OidcIdToken and OAuth2AuthorizationRequest. We are also doing validation checks there between the OAuth2AuthorizationRequest and OAuth2AuthorizationResponse. So I say we implement the nonce check directly in OidcAuthorizationCodeAuthenticationProvider.

Makes sense?

[jgrandja]

Thanks for the updates @mkheck! I left some further feedback. Looks like there are some test failures. You can run ./gradlew --refresh-dependencies clean check to ensure build passes before you push.

Also, can you update the commit messages to follow this format.

[jgrandja]

If the nonce hash could not be created because of JCE crypto lib missing than we should not add the nonce to attributes, effectively creating an Authentication Request without a nonce as is the current impl.

[mkheck]

Hi @jgrandja,

Good catches one and all. I've reworked per your recommendations and all build tests pass. LDAP integration tests are failing, but I suppose those are resolved by Travis?

I've also formatted the commit message per the guidelines you provided. 😃

Please let me know of any additional changes required or desired. Thanks!

[mkheck]

Missed 4 unit tests in OAuth2AuthorizationRequestRedirectFilterTests, fixed & re-pushed. Please let me know if I need to repackage in some way. 😑

Still getting local failures with various LDAP tests under org.springframework.security.config.ldap, but I did not modify those. Integration tests to complete successfully in CI pipeline?

[jgrandja]

Thanks for the updates @mkheck. Please see comments inline.

[mkheck]

Please let me know Joe, thanks!

[jgrandja]

Thanks for the updates @mkheck. Please see my comments.

Also, can you add a test in OidcAuthorizationCodeReactiveAuthenticationManagerTests

[jgrandja]

Thanks for the PR @mkheck! This is now in master via da9f027. Please take a look at the polish commit d3b7a47 and let me know if you have any questions.
Thanks again!