[keycloak-user] OIDC - ID Token's nonce validation
Iván Perdomo
ivan at akvo.org
Tue May 5 10:12:30 EDT 2015
Hi again,
On 05/05/2015 03:19 PM, Iván Perdomo wrote:
> If present in the ID Token, Clients MUST
>> verify that the nonce Claim Value is equal to the value of the nonce
>> parameter sent in the Authentication Request.
More info is also described in the ID Token validation section
> If a nonce value was sent in the Authentication Request, a nonce
> Claim MUST be present and its value checked to verify that it is the
> same value as the one that was sent in the Authentication Request.
> The Client SHOULD check the nonce value for replay attacks. The
> precise method for detecting replay attacks is Client specific.
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As i understand if, if a `nonce` parameter is present in the
authentication request, we should simply return it as "claim" in the ID
Token.
I'm browsing the source code and I see that IDToken [1] class is
prepared with the `nonce` property. But I'm kind of lost on where does
the authentication request gets parsed. I would like to contribute this
change, any guide where to look?
[1]
https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/org/keycloak/representations/IDToken.java#L40-L41
Cheers,
--
Iván
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/bacbc3be/attachment.bin
More information about the keycloak-user
mailing list