OpenID Connect IdP and nonce parameter - keycloak-user - Jboss List Archives

2025

January

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

OpenID Connect IdP and nonce parameter

changing password not working with...

Re: [keycloak-user] Unable to...

Raphaël HOAREAU

Thursday, 4 January 2018 Thu, 4 Jan '18

8:59 a.m.

Hi, I'm facing an issue where I use an external oidc IdP (FranceConnect) for my users to log in. When trying to login with this provider, i have this error : {"status":"fail","message":"The following fields are missing or empty : nonce"} If i put, manually, &nonce=someRandomInt, in the URL, the process continues. Am i missing something in my Identity Provider configuration ? Is there a way to add a parameter when requesting the external provider ? Regards, Raphaël HOAREAU.

Reply

Show replies by date

Marek Posolda

Thursday, 4 January Thu, 4 Jan

3:06 p.m.

Yes, Keycloak doesn't add "nonce" to the requests to identity providers. But IMO that's not the Keycloak's fault that your scenario doesn't work because "nonce" is not required, but just "optional" per OIDC specification in Authorization Code flow. See [1] . Is FranceConnect using Authorization Code Flow or some other OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), is it possible to switch it to use Authorization Code flow instead? If it already uses Authorization Code flow, then it's mistake on their side as "nonce" is optional parameter per specs, so they shouldn't require it though. Still, you can maybe create JIRA in Keycloak for adding nonce. There shouldn't be any significant issue with adding it (besides the URL to identityProviders will be a bit longer). [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest Marek On 04/01/18 15:59, Raphaël HOAREAU wrote:

Hi, I'm facing an issue where I use an external oidc IdP (FranceConnect) for my users to log in. When trying to login with this provider, i have this error : {"status":"fail","message":"The following fields are missing or empty : nonce"} If i put, manually, &nonce=someRandomInt, in the URL, the process continues. Am i missing something in my Identity Provider configuration ? Is there a way to add a parameter when requesting the external provider ? Regards, Raphaël HOAREAU. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Raphaël HOAREAU

Friday, 5 January Fri, 5 Jan

4:34 a.m.

Marek, Thank you for the explanations. FranceConnect already seems to use Authorization Code flow, but defines "nonce" as a mandatory field : https://partenaires.franceconnect.gouv.fr/fournisseur-service FR : "NONCE Champ obligatoire, généré aléatoirement par le FS que FC renvoie tel quel dans la réponse à l'appel à /token, pour être ensuite vérifié par le FS. Il est utilisé pour empêcher les attaques par rejeu" EN : "NONCE Mandatory field, ramdonly generated by FS (client) that FC (FranceConnect) resend as-is in the request to /token, to be verified by the FS. It is used to prevent replay attacks" I'll create a JIRA in Keycloak. Raphaël. Le 04/01/2018 à 22:06, Marek Posolda a écrit :

Yes, Keycloak doesn't add "nonce" to the requests to identity providers. But IMO that's not the Keycloak's fault that your scenario doesn't work because "nonce" is not required, but just "optional" per OIDC specification in Authorization Code flow. See [1] . Is FranceConnect using Authorization Code Flow or some other OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), is it possible to switch it to use Authorization Code flow instead? If it already uses Authorization Code flow, then it's mistake on their side as "nonce" is optional parameter per specs, so they shouldn't require it though. Still, you can maybe create JIRA in Keycloak for adding nonce. There shouldn't be any significant issue with adding it (besides the URL to identityProviders will be a bit longer). [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest Marek On 04/01/18 15:59, Raphaël HOAREAU wrote: > Hi, > > I'm facing an issue where I use an external oidc IdP (FranceConnect) for > my users to log in. > > When trying to login with this provider, i have this error : > > {"status":"fail","message":"The following fields are missing or empty > : nonce"} > > If i put, manually, &nonce=someRandomInt, in the URL, the process > continues. > > Am i missing something in my Identity Provider configuration ? Is there > a way to add a parameter when requesting the external provider ? > > > Regards, > > Raphaël HOAREAU. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Marek Posolda

6:54 a.m.

Yes, so as I mentioned, it means that there is bug on their side as they claim the "nonce" field as mandatory even if it's not per specs. So I suggest to create JIRA on their side too. For our side, feel free to create JIRA to add "nonce", but it's not a bug, rather feature request. As we don't break specs anyhow. Marek On 05/01/18 11:34, Raphaël HOAREAU wrote:

Marek, Thank you for the explanations. FranceConnect already seems to use Authorization Code flow, but defines "nonce" as a mandatory field : https://partenaires.franceconnect.gouv.fr/fournisseur-service FR : "NONCE Champ obligatoire, généré aléatoirement par le FS que FC renvoie tel quel dans la réponse à l'appel à /token, pour être ensuite vérifié par le FS. Il est utilisé pour empêcher les attaques par rejeu" EN : "NONCE Mandatory field, ramdonly generated by FS (client) that FC (FranceConnect) resend as-is in the request to /token, to be verified by the FS. It is used to prevent replay attacks" I'll create a JIRA in Keycloak. Raphaël. Le 04/01/2018 à 22:06, Marek Posolda a écrit : > Yes, Keycloak doesn't add "nonce" to the requests to identity > providers. But IMO that's not the Keycloak's fault that your scenario > doesn't work because "nonce" is not required, but just "optional" per > OIDC specification in Authorization Code flow. See [1] . > > Is FranceConnect using Authorization Code Flow or some other > OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), > is it possible to switch it to use Authorization Code flow instead? > If it already uses Authorization Code flow, then it's mistake on > their side as "nonce" is optional parameter per specs, so they > shouldn't require it though. > > Still, you can maybe create JIRA in Keycloak for adding nonce. There > shouldn't be any significant issue with adding it (besides the URL to > identityProviders will be a bit longer). > > [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest > > Marek > > > On 04/01/18 15:59, Raphaël HOAREAU wrote: >> Hi, >> >> I'm facing an issue where I use an external oidc IdP (FranceConnect) >> for >> my users to log in. >> >> When trying to login with this provider, i have this error : >> >> {"status":"fail","message":"The following fields are missing or >> empty : nonce"} >> >> If i put, manually, &nonce=someRandomInt, in the URL, the process >> continues. >> >> Am i missing something in my Identity Provider configuration ? Is there >> a way to add a parameter when requesting the external provider ? >> >> >> Regards, >> >> Raphaël HOAREAU. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >

Reply

2560

days inactive

2561

days old

keycloak-user@lists.jboss.org

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

Marek Posolda
Raphaël HOAREAU