Open jkroepke opened 8 months ago
hifabienne
commented
8 months ago Thank you for sharing your idea. If there is a significant demand from customers/community, we will carefully consider implementing the feature. Currently, the issue will be added to our product backlog.
Meanwhile, if you're interested in implementing it yourself, we also welcome pull requests.
muhlemmer
commented
8 months ago The standard is a bit fishy on this.
it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication
Disable is indeed the easy solution, but not necessary the correct one. If we want to be 100% correct we should verify the nonce against the original ID Token, if it was returned with the new ID token. So in case of Entra ID you could work-around the issue by constructing the RP with the WithNonce verrifier option, passed to WithVerifierOpts. Then, when calling RefreshTokens use context Values to set and obtain the Nonce from the original token.
jkroepke
commented
8 months ago The standard also says (Section 12.2)
12.2. Successful Refresh Response Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token. ... it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication
My problem is according the standard, its compliant to omit the nonce claim, too. In this case, I need a verifier which accepts both: an empty string and the nonce claim from the original ID Token.
In my case, I support any OIDC provider and I have different results from Entra ID. While on my test, the nonce is empty, other users experience that error that nonce is non-empty.
Would it be an option to check the nonce only, if its non-empty? That would be 100% correct, because it says check nonce only, if present.
jkroepke
commented
8 months ago I also tried something like this:
ctx = context.WithValue(ctx, types.CtxNonce{}, "value")
newTokens, err := rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
if errors.Is(err, oidc.ErrNonceInvalid) {
ctx = context.WithValue(ctx, types.CtxNonce{}, "")
newTokens, err = rp.RefreshTokens[*oidc.IDTokenClaims](ctx, relyingParty, refreshToken, "", "")
}but it fails, if the Provider has a one time usage policy for refresh tokens.
jkroepke
commented
7 months ago @muhlemmer what did you think about empty nonce value is fine on refresh?
muhlemmer
commented
7 months ago Sorry lost track of this issue. With the above arguments you gave I agree that we can allow an empty nonce. Do you want to send a PR for that?
jkroepke
commented
7 months ago With the above arguments you gave I agree that we can allow an empty nonce
Its spec compliant. If you read (Section 12.2):
Token from Refresh Response SHOULD NOT have a nonce Claim, however, if it is present, its value MUST be the same as in the ID Token issued at the time of the original authentication
which I interpret: claims from refresh response should be empty/non present. If not empty, the values should be equal to the initial value.
If you would agree here, I would open a PR
muhlemmer
commented
7 months ago Yes, I wrote I agree ;)
jkroepke
commented
7 months ago I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature
muhlemmer
commented
4 months ago I looked into it and since the ValidToken function does not know the context of the token source (comming from CodeExchange or Refresh), I have no clue how I could integrate a condition without changing the signature
You can open a breaking change PR against the next branch. And I can have a look if there is a solution to port it to main.
Preflight Checklist
Describe your problem
I have the issue that ID Token from Microsoft Entra ID issued via an Refresh Token may have a nonce claim. According to OIDC Spec, such token should not contain an nonce claim (The clarification on SPEC introduced 14 months ago; https://bitbucket.org/openid/connect/pull-requests/341)
The IDToken verifier includes an non optional claim which fails in my scenria, if I to a RefreshToken against Microsoft Entra ID I got this error:
Describe your ideal solution
Since ID Tokens request by an RefreshToken should not contains a nonce anyways (technically, it's not possible to define one from client site and its defined in SPEC), I prefer to disable the nonce validation in such cases.
Version
3.8.1
Environment
Self-hosted
Additional Context
I'm aware that Microsoft should fix the logic in Entra ID, but I feel this will not happen in next moths...