[Bug]: Nonce validation after refresh token use is incorrect

crubach commented 1 year ago

Version

15.0.2

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

An OIDC-certified provider such as node-oidc-provider can opt to include the nonce value in Id tokens returned when a /token request is made with a previously obtained refresh token.

The library will throw an error similar to "Validate_id_token_nonce failed, dataIdToken.nonce: 11f86d9059c1100ef98180db0f3d17fbe3Ft1o9Wq local_nonce:--RefreshToken--" by default when the provider returns an id token with the nonce matching the *original* request (here: 11f86d9059c1100ef98180db0f3d17fbe3Ft1o9Wq).

The most recent errata for the OpenID connect ( https://bitbucket.org/openid/connect/pull-requests/341/errata-clarified-nonce-during-id-token ) clarify that this behavior is correct/allowed:

... if it is present,
    its value MUST be the same as in the ID Token issued
    at the time of the original authentication

even though the library attempts to check for the presence of the nonce value it uses during the refresh attempt.

Steps to reproduce the behavior

Use node-oidc-provider and configure a sample client configuration allowing 
"grantTypes": ["refresh_token"] and request scopes offline_access and requesting consent prompt, setting the access token expiration to be short-lived

A clear and concise description of what you expected to happen.

ValidateIdTokenNonce in the provider should check for a match with the nonce value from the original authentication attempt, not the renewal attempt if it is present (to match the OIDC standard addendum).