Re: [keycloak-user] OpenID Connect IdP and nonce parameter

Yes, Keycloak doesn't add "nonce" to the requests to identity providers. But IMO that's not the Keycloak's fault that your scenario doesn't work because "nonce" is not required, but just "optional" per OIDC specification in Authorization Code flow. See [1] . Is FranceConnect using Authorization Code Flow or some other OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), is it possible to switch it to use Authorization Code flow instead? If it already uses Authorization Code flow, then it's mistake on their side as "nonce" is optional parameter per specs, so they shouldn't require it though. Still, you can maybe create JIRA in Keycloak for adding nonce. There shouldn't be any significant issue with adding it (besides the URL to identityProviders will be a bit longer). [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest Marek On 04/01/18 15:59, Raphaël HOAREAU wrote: > Hi, > > I'm facing an issue where I use an external oidc IdP (FranceConnect) for > my users to log in. > > When trying to login with this provider, i have this error : > > {"status":"fail","message":"The following fields are missing or empty > : nonce"} > > If i put, manually, &nonce=someRandomInt, in the URL, the process > continues. > > Am i missing something in my Identity Provider configuration ? Is there > a way to add a parameter when requesting the external provider ? > > > Regards, > > Raphaël HOAREAU. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user