[keycloak-user] OpenID Connect IdP and nonce parameter
Marek Posolda
mposolda at redhat.com
Fri Jan 5 07:54:05 EST 2018
Yes, so as I mentioned, it means that there is bug on their side as they
claim the "nonce" field as mandatory even if it's not per specs. So I
suggest to create JIRA on their side too.
For our side, feel free to create JIRA to add "nonce", but it's not a
bug, rather feature request. As we don't break specs anyhow.
Marek
On 05/01/18 11:34, Raphaël HOAREAU wrote:
> Marek,
>
> Thank you for the explanations.
>
> FranceConnect already seems to use Authorization Code flow, but
> defines "nonce" as a mandatory field :
>
> https://partenaires.franceconnect.gouv.fr/fournisseur-service
>
> FR : "NONCE Champ obligatoire, généré aléatoirement par le FS que FC
> renvoie tel quel dans la réponse à l'appel à /token, pour être ensuite
> vérifié par le FS. Il est utilisé pour empêcher les attaques par rejeu"
>
> EN : "NONCE Mandatory field, ramdonly generated by FS (client) that FC
> (FranceConnect) resend as-is in the request to /token, to be verified
> by the FS. It is used to prevent replay attacks"
>
> I'll create a JIRA in Keycloak.
>
> Raphaël.
>
> Le 04/01/2018 à 22:06, Marek Posolda a écrit :
>> Yes, Keycloak doesn't add "nonce" to the requests to identity
>> providers. But IMO that's not the Keycloak's fault that your scenario
>> doesn't work because "nonce" is not required, but just "optional" per
>> OIDC specification in Authorization Code flow. See [1] .
>>
>> Is FranceConnect using Authorization Code Flow or some other
>> OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow),
>> is it possible to switch it to use Authorization Code flow instead?
>> If it already uses Authorization Code flow, then it's mistake on
>> their side as "nonce" is optional parameter per specs, so they
>> shouldn't require it though.
>>
>> Still, you can maybe create JIRA in Keycloak for adding nonce. There
>> shouldn't be any significant issue with adding it (besides the URL to
>> identityProviders will be a bit longer).
>>
>> [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>>
>> Marek
>>
>>
>> On 04/01/18 15:59, Raphaël HOAREAU wrote:
>>> Hi,
>>>
>>> I'm facing an issue where I use an external oidc IdP (FranceConnect)
>>> for
>>> my users to log in.
>>>
>>> When trying to login with this provider, i have this error :
>>>
>>> {"status":"fail","message":"The following fields are missing or
>>> empty : nonce"}
>>>
>>> If i put, manually, &nonce=someRandomInt, in the URL, the process
>>> continues.
>>>
>>> Am i missing something in my Identity Provider configuration ? Is there
>>> a way to add a parameter when requesting the external provider ?
>>>
>>>
>>> Regards,
>>>
>>> Raphaël HOAREAU.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
More information about the keycloak-user
mailing list