[keycloak-user] OpenID Connect IdP and nonce parameter

Raphaël HOAREAU raphoa at worteks.com
Fri Jan 5 05:34:49 EST 2018 

Marek,

Thank you for the explanations.

FranceConnect already seems to use Authorization Code flow, but defines 
"nonce" as a mandatory field :

https://partenaires.franceconnect.gouv.fr/fournisseur-service

FR : "NONCE Champ obligatoire, généré aléatoirement par le FS que FC 
renvoie tel quel dans la réponse à l'appel à /token, pour être ensuite 
vérifié par le FS. Il est utilisé pour empêcher les attaques par rejeu"

EN : "NONCE Mandatory field, ramdonly generated by FS (client) that FC 
(FranceConnect) resend as-is in the request to /token, to be verified by 
the FS. It is used to prevent replay attacks"

I'll create a JIRA in Keycloak.

Raphaël.

Le 04/01/2018 à 22:06, Marek Posolda a écrit :
> Yes, Keycloak doesn't add "nonce" to the requests to identity 
> providers. But IMO that's not the Keycloak's fault that your scenario 
> doesn't work because "nonce" is not required, but just "optional" per 
> OIDC specification in Authorization Code flow. See [1] .
>
> Is FranceConnect using Authorization Code Flow or some other 
> OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), 
> is it possible to switch it to use Authorization Code flow instead? If 
> it already uses Authorization Code flow, then it's mistake on their 
> side as "nonce" is optional parameter per specs, so they shouldn't 
> require it though.
>
> Still, you can maybe create JIRA in Keycloak for adding nonce. There 
> shouldn't be any significant issue with adding it (besides the URL to 
> identityProviders will be a bit longer).
>
> [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>
> Marek
>
>
> On 04/01/18 15:59, Raphaël HOAREAU wrote:
>> Hi,
>>
>> I'm facing an issue where I use an external oidc IdP (FranceConnect) for
>> my users to log in.
>>
>> When trying to login with this provider, i have this error :
>>
>> {"status":"fail","message":"The following fields are missing or empty 
>> : nonce"}
>>
>> If i put, manually, &nonce=someRandomInt, in the URL, the process 
>> continues.
>>
>> Am i missing something in my Identity Provider configuration ? Is there
>> a way to add a parameter when requesting the external provider ?
>>
>>
>> Regards,
>>
>> Raphaël HOAREAU.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list