search

Drenso / symfony-oidc

This project contains the Symfony OIDC bundle, which is directly based on https://github.com/jumbojett/OpenID-Connect-PHP
Apache License 2.0
59 stars 32 forks source link

Can not disable verifyNonce when dealing with JWT claims #28

Closed bghenne closed 1 year ago

bghenne commented 1 year ago

Hello,

I'm calling an Open ID Connect which does not provide "nonce" into JWT claims inside the token. Warning: Undefined property: stdClass::$nonce

This does give me an error inside OidcJwtHelper::verifyJwtClaims method as it's called through OidcClient::authenticate method without the possibility of specifying parameter verifyNonce to set it to false.

// Request and verify the tokens return $this->verifyTokens( $this->requestTokens('authorization_code', $code, $this->getRedirectUrl()) );

So I dag a little bit and tried to create my own client but was not able to make it replace the default one.

I must say that I'm not particularly familiar with security stuffs into Symfony. Can you please tell me what I'm doing wrong ?

Thanks. Benjamin.

PS : Please find attached my configuration files. drenso_oidc.yaml.txt security.yaml.txt

bobvandevijver commented 1 year ago

The issue you have is because this bundle currently requires the nonce to be used and returned by the IdP. Replacing the complete client should be possible using the Symfony container by replacing the service id, but it is probably a lot easier to add an option to this bundle to disable the nonce completely. Would you be open to create a PR for that?

bghenne commented 1 year ago

There you have : https://github.com/Drenso/symfony-oidc/pull/30

Thank you.

bobvandevijver commented 1 year ago

Closed with #30.