[keycloak-user] OpenID Connect IdP and nonce parameter
Marek Posolda
mposolda at redhat.com
Thu Jan 4 16:06:40 EST 2018
Yes, Keycloak doesn't add "nonce" to the requests to identity providers.
But IMO that's not the Keycloak's fault that your scenario doesn't work
because "nonce" is not required, but just "optional" per OIDC
specification in Authorization Code flow. See [1] .
Is FranceConnect using Authorization Code Flow or some other OIDC/OAuth2
flow? If it's using some other flow (EG. Implicit flow), is it possible
to switch it to use Authorization Code flow instead? If it already uses
Authorization Code flow, then it's mistake on their side as "nonce" is
optional parameter per specs, so they shouldn't require it though.
Still, you can maybe create JIRA in Keycloak for adding nonce. There
shouldn't be any significant issue with adding it (besides the URL to
identityProviders will be a bit longer).
[1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Marek
On 04/01/18 15:59, Raphaël HOAREAU wrote:
> Hi,
>
> I'm facing an issue where I use an external oidc IdP (FranceConnect) for
> my users to log in.
>
> When trying to login with this provider, i have this error :
>
> {"status":"fail","message":"The following fields are missing or empty : nonce"}
>
> If i put, manually, &nonce=someRandomInt, in the URL, the process continues.
>
> Am i missing something in my Identity Provider configuration ? Is there
> a way to add a parameter when requesting the external provider ?
>
>
> Regards,
>
> Raphaël HOAREAU.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list