From 0f704b39d66772621fd31759d1633039d811761b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Thu, 18 Jan 2024 18:52:35 +0100 Subject: [PATCH] Adding support for a nonce According to the OpenID connect spec: > nonce > String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case-sensitive string. Right now, if a client passes a "nounce", we don't give it back and the client fails. This is happening to me right now with the client from Matrix Synapse. Here, I'm creating a new service (`CurrentRequestService`). With this new service, I can get the current PSR-7 request. I extend the AuthCodeGrant and inject this service into the extended class. With this, I can: - read the "nonce" from the request - encode the "nonce" in the "code" Then, in the `IdTokenResponse`, I read the "code" (if it is present), extract the "nounce" and inject it in the ID token as a new claim. The whole process is inspired by this comment: https://github.com/steverhoades/oauth2-openid-connect-server/issues/47#issuecomment-1228370632 With those changes, nounce is correctly handled and I've successfully tested a connection with the OpenID client from Matrix Synapse. --- src/Grant/AuthCodeGrant.php | 1 + src/IdTokenResponse.php | 1 + src/Interfaces/CurrentRequestServiceInterface.php | 2 +- src/Laravel/LaravelCurrentRequestService.php | 3 ++- src/Services/CurrentRequestService.php | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 82a15e4..56fa040 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -8,6 +8,7 @@ use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface; use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface; use League\OAuth2\Server\RequestTypes\AuthorizationRequest; +use League\OAuth2\Server\ResponseTypes\RedirectResponse; use OpenIDConnect\Interfaces\CurrentRequestServiceInterface; use Psr\Http\Message\ResponseInterface; diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php index 9f8c281..6904d7f 100644 --- a/src/IdTokenResponse.php +++ b/src/IdTokenResponse.php @@ -6,6 +6,7 @@ use DateInterval; use DateTimeImmutable; +use Defuse\Crypto\Key; use Lcobucci\JWT\Builder; use Lcobucci\JWT\Configuration; use League\OAuth2\Server\CryptTrait; diff --git a/src/Interfaces/CurrentRequestServiceInterface.php b/src/Interfaces/CurrentRequestServiceInterface.php index ea31f30..9114802 100644 --- a/src/Interfaces/CurrentRequestServiceInterface.php +++ b/src/Interfaces/CurrentRequestServiceInterface.php @@ -1,4 +1,4 @@ -