[keycloak-user] OIDC - ID Token's nonce validation
Marek Posolda
mposolda at redhat.com
Tue May 5 11:18:02 EDT 2015
We don't have support for it at this moment. Could you please create
JIRA for it?
Thanks,
Marek
On 5.5.2015 16:12, Iván Perdomo wrote:
> Hi again,
>
> On 05/05/2015 03:19 PM, Iván Perdomo wrote:
>> If present in the ID Token, Clients MUST
>>> verify that the nonce Claim Value is equal to the value of the nonce
>>> parameter sent in the Authentication Request.
> More info is also described in the ID Token validation section
>
>> If a nonce value was sent in the Authentication Request, a nonce
>> Claim MUST be present and its value checked to verify that it is the
>> same value as the one that was sent in the Authentication Request.
>> The Client SHOULD check the nonce value for replay attacks. The
>> precise method for detecting replay attacks is Client specific.
> http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
>
> As i understand if, if a `nonce` parameter is present in the
> authentication request, we should simply return it as "claim" in the ID
> Token.
>
> I'm browsing the source code and I see that IDToken [1] class is
> prepared with the `nonce` property. But I'm kind of lost on where does
> the authentication request gets parsed. I would like to contribute this
> change, any guide where to look?
>
> [1]
> https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/org/keycloak/representations/IDToken.java#L40-L41
>
> Cheers,
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/ee7c9dc8/attachment-0001.html
More information about the keycloak-user
mailing list