micedre
commented
3 years ago The extension doesn't do anything on the nonce. Which keycloak version are you using?
Closed semangard closed 2 years ago
micedre
commented
3 years ago The extension doesn't do anything on the nonce. Which keycloak version are you using?
semangard
commented
3 years ago KeyCloak version 11
semangard
commented
3 years ago Here is the call sent to FranceConnect, a nonce is added by KeyCloak but does not have the expected lenght by FranceConnect
micedre
commented
3 years ago I never had that error, could you try asking france connect team about it ? There shouldn't be a size limit on nonce.
semangard
commented
3 years ago I asked and the answer is exactly : "le nonce doit faire exactement 64 caractères"
micedre
commented
3 years ago From what I read in the code for keycloak 11, this nonce should be exactly 20 bytes :
https://github.com/keycloak/keycloak/blob/11.0.3/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L758.
I don't see the complete value in your screen, is it longer ?
semangard
commented
3 years ago 22 caracters
micedre
commented
3 years ago so less than the max that FranceConnect seems to support. Are you sure the error comes from the nonce ?
semangard
commented
3 years ago It was the answer of FC.
I just asked them since when this constraint was introduced. I will share the answer.
micedre
commented
3 years ago Ok, sorry I did not see the exactly, I thought it was a max size (which I find already a bit weird :) ).
A fixed size seems to be against the OIDC specification, so there is a real case against it. If you have contact information you could share about this, could you send it to me (cedric.couralet@insee.fr) ?
semangard
commented
3 years ago Sent to your pro email.
micedre
commented
3 years ago Also, the nonce should not contain underscore. A fix for that in the new release here : https://github.com/InseeFr/Keycloak-FranceConnect/releases/download/3.0-beta4-fcv2/keycloak-franceconnect-3.0-beta4-fcv2.jar
semangard
commented
3 years ago OK, I will take this last version
micedre
commented
2 years ago
Hello,
As indicated into https://github.com/InseeFr/Keycloak-FranceConnect/issues/52 we would like to use your KC extension with FranceConnect V2 but we are facing issues with target URL.
Meanwhile, we tried to configure and use a default KC OIDC provider. But we are facing some HTTP error code from France Connect V2 because the acr is missing and also because the nonce does not have the expected length.
According to : https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/provider/FranceConnectIdentityProvider.java we see that indeed you added the acr but what about the nonce ? Have you also faced issues with the nonce's lenght and customized something into your extension ?
Regards