Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC provider: nonce should be optional in authorization code flow #13204

Closed
candlerb opened this issue Nov 18, 2021 · 2 comments · Fixed by #13231
Closed

OIDC provider: nonce should be optional in authorization code flow #13204

candlerb opened this issue Nov 18, 2021 · 2 comments · Fixed by #13231
Assignees
@austingebauer
Labels
auth/oidc
Milestone
1.9.1

Comments

@candlerb
Copy link
Contributor

Describe the bug
I am testing the Vault 1.9.0 OIDC provider tech-preview.

Using the dex example-app as a client, I get the following response:

invalid_request: nonce parameter is required

However, according to the OpenID Core Connect specification section 3.1.2.1, the nonce is "OPTIONAL" in the Authorization Code Flow.

(It is required in the Implicit Flow and Hybrid Flow, but that's not what Vault implements)

To Reproduce

  1. Set up Vault OIDC provider as here

  2. Install dex example-app

  3. Run the example app pointing at Vault

    bin/example-app --client-id XXXXXXXX --client-secret hvo_secret_YYYYYYYY --debug \
  --issuer https://vault.example.com:8200/v1/identity/oidc/provider/my-provider --listen http://0.0.0.0:5555 \
  --redirect-uri http://127.0.0.1:5555/callback

  4. Login to example app via web

Expected behavior
Vault should accept Authorization flow without nonce, as compliant applications are not required to provide one.

Environment:

  • Vault Server Version (retrieve with vault status): 1.9.0
  • Vault CLI Version (retrieve with vault version): Vault v1.9.0
  • Server Operating System/Architecture: Ubuntu 20.04 amd64

Vault server configuration file(s): N/A

Additional context
The spec also says:

If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.

Note use of "If present".
@heatherezell
Copy link
Contributor

Thanks for this issue report! I'll start looking into this.

@austingebauer austingebauer self-assigned this Nov 18, 2021
@austingebauer austingebauer added this to the 1.9.1 milestone Nov 18, 2021
@austingebauer
Copy link
Contributor

Thanks for reporting this, @candlerb! We're going to make the nonce parameter optional (authorization code flow) to comply with the spec. We do recommend supplying a nonce for security concerns highlighted by the spec though. We're targeting to release this update in Vault 1.9.1.

@austingebauer austingebauer mentioned this issue Nov 19, 2021
Merged
@hb9cwp hb9cwp mentioned this issue Feb 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@austingebauer austingebauer

Labels
auth/oidc
Projects
None yet
Milestone
1.9.1
Development

Successfully merging a pull request may close this issue.

identity/oidc: optional nonce parameter for authorize request hashicorp/vault
3 participants
@candlerb @austingebauer @heatherezell