Adding support for a nonce

According to the OpenID connect spec: > nonce > String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case-sensitive string. Right now, if a client passes a "nounce", we don't give it back and the client fails. This is happening to me right now with the client from Matrix Synapse. Here, I'm creating a new service (`CurrentRequestService`). With this new service, I can get the current PSR-7 request. I extend the AuthCodeGrant and inject this service into the extended class. With this, I can: - read the "nonce" from the request - encode the "nonce" in the "code" Then, in the `IdTokenResponse`, I read the "code" (if it is present), extract the "nounce" and inject it in the ID token as a new claim. The whole process is inspired by this comment: steverhoades/oauth2-openid-connect-server#47 (comment) With those changes, nounce is correctly handled and I've successfully tested a connection with the OpenID client from Matrix Synapse.
ronvanderheijden · Jun 17, 2024 · 0f704b3 · 0f704b3
1 parent 16f2c2e
commit 0f704b3
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 3 deletions.
diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
@@ -8,6 +8,7 @@
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use OpenIDConnect\Interfaces\CurrentRequestServiceInterface;
 use Psr\Http\Message\ResponseInterface;
 

diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php
@@ -6,6 +6,7 @@
 
 use DateInterval;
 use DateTimeImmutable;
+use Defuse\Crypto\Key;
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Configuration;
 use League\OAuth2\Server\CryptTrait;

diff --git a/src/Interfaces/CurrentRequestServiceInterface.php b/src/Interfaces/CurrentRequestServiceInterface.php
@@ -1,4 +1,4 @@
-<?php 
+<?php
 
 declare(strict_types=1);
 

diff --git a/src/Laravel/LaravelCurrentRequestService.php b/src/Laravel/LaravelCurrentRequestService.php
@@ -1,4 +1,4 @@
-<?php 
+<?php
 
 declare(strict_types=1);
 
@@ -11,6 +11,7 @@
 
 class LaravelCurrentRequestService implements CurrentRequestServiceInterface
 {
+
     public function getRequest(): ServerRequestInterface
     {
         return (new PsrHttpFactory(

diff --git a/src/Services/CurrentRequestService.php b/src/Services/CurrentRequestService.php
@@ -1,4 +1,4 @@
-<?php 
+<?php
 
 declare(strict_types=1);
-Original file line number
+Diff line change
@@ -1,4 +1,4 @@
-    <?php
+    <?php
     declare(strict_types=1);
@@ Expand Down @@