Skip to content
This repository has been archived by the owner on Nov 18, 2024. It is now read-only.

Commit

Permalink
Merge pull request #27 from DrDaveD/allow-empty-nonce
Browse files Browse the repository at this point in the history 
Allow the nonce to be empty
  • Loading branch information
@impl
impl authored Jan 16, 2021
2 parents 81f2079 + 03ff677 commit c3b6dc1
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions pkg/provider/oidc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,12 @@ func (c *oidcExchangeConfig) verifyUpdateToken(ctx context.Context, t *Token) er
return fmt.Errorf("oidc: verification error: %w", err)
}

if subtle.ConstantTimeEq(int32(len(idToken.Nonce)), int32(len(c.nonce))) == 0 ||
subtle.ConstantTimeCompare([]byte(idToken.Nonce), []byte(c.nonce)) == 0 {
// If nonce is configured, make sure it matches the nonce in
// the ID token. It is not configured when refresh_token is
// sent in from an external source.
if len(c.nonce) > 0 &&
(subtle.ConstantTimeEq(int32(len(idToken.Nonce)), int32(len(c.nonce))) == 0 ||
subtle.ConstantTimeCompare([]byte(idToken.Nonce), []byte(c.nonce)) == 0) {
return ErrOIDCNonceMismatch
}

Expand Down

0 comments on commit c3b6dc1

Please sign in to comment.