use nonce in authorization url, and verify on callback from oidc provider

[theferrit32]

in order to prevent another authorization request from being received during the 30 second window the server waits to receive one, append a nonce to the end of the authorization url that the client uses, and when the callback is received, verify that the nonce is in the request params.

I've verified that the nonce is passed through the provider and sent in the callback, just need to have the server plugin verify it. For a short-term solution, just reject any requests without the correct nonce, and tell the user to try authenticating again.

In terms of a long-term solution for this timing issue, the server should always be listening for authorization callbacks, and determine which client the access_token corresponds to based on which nonce is in that request.

For example two clients A and B attempt to authenticate around the same time, with (A) https:///authorize?response_type=code&scope=openid%20profile%20email&client_id=1518717942&redirect_uri=http://localhost:8080/?nonce=SECRETNONCE1 (B) https:///authorize?response_type=code&scope=openid%20profile%20email&client_id=1518717942&redirect_uri=http://localhost:8080/?nonce=SECRETNONCE2

When the server sees a request from oidc provider, it can tell which client has authorized by the nonce in the request.

[theferrit32]

OpenID Connect spec defines a parameter "state" and "nonce" for this. http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

More info from provider implementations: https://docs.globus.org/api/auth/developer-guide/#obtaining-authorization https://developers.google.com/identity/protocols/OAuth2WebServer#creatingclient

[theferrit32]

Finished. Authorization callback request is verified and tied to plugin client through 'state' and access token response is verified and tied to plugin client through 'nonce' value in the id_token.