search

Keats / jsonwebtoken

JWT lib in rust
MIT License
1.61k stars 253 forks source link

Nonce validation #352

Open aagmv opened 6 months ago

aagmv commented 6 months ago

OIDC has a nonce mechanism that gets included in the JWT to prevent replay attacks. Comparing it after decoding isn't particularly difficult, but neither would be checking the issuer or audience.

It still might be useful to integrate it as part of the decode-and-validate step. This could maybe done be similarly to the set_required_spec_claims method, with a set_expected_claim_values.

The downside is that it forces a new Validation object to be allocated on every request because the nonce changes every time.

fn process_token(raw_token: &str, nonce: &str) -> Result<Decoded> {
   let mut val = Validation::default();
   /// ...
   val.set_expected_claim_values(HashMap::from([("nonce", nonce)]))

   decode::<Claims>(raw_token, todo!(), &val)
}
Keats commented 6 months ago

Hmm I don't think this would belong to the library because of the need to instantiate a new Validation object as you say.