Provide nonce protection for replay attacks

[sadilchamishka]

Proposed changes in this pull request

The nonce based replay attack protection is provided from the OIDC federated authenticators.

The replay attack

The authorization code flow of the federated authentication flow is targeted in this attack. As shown in the below figure, the authorization code response which is redirected to the authorization server (highlighted in red) can be hijacked and even block the redirection. Then the potential attacker can continue complete authorization flow from the beginning but without completing step 5, and play a redirection to the authorization server including the hijacked auth code of the victim.

• The authorization flow is exposed to this type of attack due to not being able to prove the authorization request sender (redirection of step 3) is the same as the auth code receiver (step 6) for that corresponding authorization request.

• Attack complexity is high due to the attacker having to intercept the auth code in step 06 and drop the redirection. The attacker can intercept the redirection and fetch the auth code as it is sent as a query param. Then if he succeeds in reaching the authorization server before the victim's request, the attacker can exploit.

[jenkins-is-staging]

PR builder started Link: https://github.com/wso2/product-is/actions/runs/4445972331

[jenkins-is-staging]

PR builder completed Link: https://github.com/wso2/product-is/actions/runs/4445972331 Status: failure

[jenkins-is-staging]

PR builder started Link: https://github.com/wso2/product-is/actions/runs/4447668103

[jenkins-is-staging]

PR builder completed Link: https://github.com/wso2/product-is/actions/runs/4447668103 Status: failure

[jenkins-is-staging]

PR builder started Link: https://github.com/wso2/product-is/actions/runs/4461168208

[jenkins-is-staging]

PR builder completed Link: https://github.com/wso2/product-is/actions/runs/4461168208 Status: success

[sadilchamishka]

PR is under review