3:19 p.m.
Hi,
It seems that if a client sends the optional `nonce` parameter as part
of the authentication request, the server should return it as `nonce`
claim part of the ID Token
The value is passed through unmodified from the Authentication
Request to the ID Token. If present in the ID Token, Clients MUST
verify that the nonce Claim Value is equal to the value of the nonce
parameter sent in the Authentication Request. If present in the
Authentication Request, Authorization Servers MUST include a nonce
Claim in the ID Token with the Claim Value being the nonce value sent
in the Authentication Request. Authorization Servers SHOULD perform
no other processing on nonce values used. The nonce value is a case
sensitive string.
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
As of Keycloak 1.2.0.Beta1 if a client sends a `nonce`, the ID Token
doesn't include the `nonce` claim.
Should I log this as an defect? Or is something already solved in 1.2.0RC1 ?
Thanks,
--
Iván
4:12 p.m.
Hi again,
On 05/05/2015 03:19 PM, Iván Perdomo wrote:
If present in the ID Token, Clients MUST
> verify that the nonce Claim Value is equal to the value of the nonce
> parameter sent in the Authentication Request.
More info is also described in the ID Token validation section
If a nonce value was sent in the Authentication Request, a nonce
Claim MUST be present and its value checked to verify that it is the
same value as the one that was sent in the Authentication Request.
The Client SHOULD check the nonce value for replay attacks. The
precise method for detecting replay attacks is Client specific.
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As i understand if, if a `nonce` parameter is present in the
authentication request, we should simply return it as "claim" in the ID
Token.
I'm browsing the source code and I see that IDToken [1] class is
prepared with the `nonce` property. But I'm kind of lost on where does
the authentication request gets parsed. I would like to contribute this
change, any guide where to look?
[1]
https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/or...
Cheers,
--
Iván
5:18 p.m.
We don't have support for it at this moment. Could you please create
JIRA for it?
Thanks,
Marek
On 5.5.2015 16:12, Iván Perdomo wrote:
Hi again,
On 05/05/2015 03:19 PM, Iván Perdomo wrote:
> If present in the ID Token, Clients MUST
>> verify that the nonce Claim Value is equal to the value of the nonce
>> parameter sent in the Authentication Request.
More info is also described in the ID Token validation section
> If a nonce value was sent in the Authentication Request, a nonce
> Claim MUST be present and its value checked to verify that it is the
> same value as the one that was sent in the Authentication Request.
> The Client SHOULD check the nonce value for replay attacks. The
> precise method for detecting replay attacks is Client specific.
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As i understand if, if a `nonce` parameter is present in the
authentication request, we should simply return it as "claim" in the ID
Token.
I'm browsing the source code and I see that IDToken [1] class is
prepared with the `nonce` property. But I'm kind of lost on where does
the authentication request gets parsed. I would like to contribute this
change, any guide where to look?
[1]
https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/or...
Cheers,
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:50 p.m.
Hi,
On 05/05/2015 05:18 PM, Marek Posolda wrote:
We don't have support for it at this moment. Could you please
create
JIRA for it?
Issue logged: https://issues.jboss.org/browse/KEYCLOAK-1272
Cheers,
--
Iván
3279
days inactive
3279
days old
3 comments
2 participants
participants (2)
-
Iván Perdomo -
Marek Posolda