Consider adding switch to enable or disable OIDC nonce

[hejianchao]

@hejianchao No there isn't a setting/property available to turn it off. Are you having issues with it? Why do you want it disabled?

Originally posted by @jgrandja in #4442 (comment)

This issue was created for two reasons:

1. Some cloud vendors do not fully support OIDC nonce, and an error will be reported: invalid nonce
2. OpenID Connect Core 1.0, Section 3.1.2.1, "nonce" parameter:

nonce
OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.

Also, as far as I know, the pac4j framework supports nonce settings (link).

[jgrandja]

@hejianchao Regarding your comment:

Some cloud vendors do not fully support OIDC nonce, and an error will be reported: invalid nonce

If this is the case than the provider is NOT OpenID Connect compliant.

As per spec, in the ID Token section:

String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.

The Authorization Server MUST include the nonce Claim in the ID Token if it was sent in the Authentication Request.

If you need to override the Authentication Request to not include the nonce parameter than you can supply oauth2Login().authorizationEndpoint().authorizationRequestResolver() a custom OAuth2AuthorizationRequestResolver that removes the nonce parameter. Take a look at the reference doc for an example of how to implement.

[hejianchao]

@jgrandja It works but not so convenient, For optional parameters like nonce, switches are a more convenient way. Anyway, thanks for your information.

[jgrandja]

@hejianchao

Some cloud vendors do not fully support OIDC nonce, and an error will be reported: invalid nonce

Which provider are you having this issue with? Could you provide more details around the error message? Is the error message being triggered by the provider or client?

[hejianchao]

The method that throws the exception is: org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider#authenticate:

// Validate nonce
String requestNonce = authorizationRequest.getAttribute(OidcParameterNames.NONCE);
if (requestNonce != null) {
	String nonceHash;
	try {
		nonceHash = createHash(requestNonce);
	} catch (NoSuchAlgorithmException e) {
		OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
		throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
	}
	String nonceHashClaim = idToken.getNonce();
	if (nonceHashClaim == null || !nonceHashClaim.equals(nonceHash)) {
                // Here thrown the exception because nonceHashClaim is null
		OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
		throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
	}
}

[jgrandja]

@hejianchao Which provider are you using?