You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The validateIdToken function previously did not correctly validate the nonce claim in the ID Token due to improper handling of session state. The newSession variable, intended to indicate a new authentication session, was not reliably set, causing nonce validation to be skipped in all cases.
---------
Co-authored-by: Tom Noonan II <t.noonanii@f5.com>
Co-authored-by: Ivan Ovchinnikov <33402471+route443@users.noreply.github.com>
@@ -241,10 +237,9 @@ function validateIdToken(r) {
241
237
validToken=false;
242
238
}
243
239
244
-
// If we receive a nonce in the ID Token then we will use the auth_nonce cookies
245
-
// to check that the JWT can be validated as being directly related to the
246
-
// original request by this client. This mitigates against token replay attacks.
247
-
if(newSession){
240
+
// According to OIDC Core 1.0 Section 2:
241
+
// "If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request."
242
+
if(r.variables.jwt_claim_nonce){
248
243
varclient_nonce_hash="";
249
244
if(r.variables.cookie_auth_nonce){
250
245
varc=require('crypto');
@@ -255,6 +250,9 @@ function validateIdToken(r) {
255
250
r.error("OIDC ID Token validation error: nonce from token ("+r.variables.jwt_claim_nonce+") does not match client ("+client_nonce_hash+")");
0 commit comments