fix(OIDC): typo + make PKCE and nonce mandatory as per specs

[sandros94]

Followup for #444

Excluding what seems a small typo, I've wanted to jump in and help with the OIDC, and thus OAuth, specs.

First off made sure PKCE is always used. As per spec this is not a replacement for client secrets, but instead a mitigation for man-in-the-middle and replay attacks. It was indeed originally developed for public clients in 2015 via RFC7636 but over the time it got adopted as best practice also for confidential clients, now required as per OAuth 2.1 drafts.

Also added the nonce claim generation and check. Since the current implementation uses OIDC as a SSO provider it is best to follow the OIDC Core 1.0 spec and make sure that the issued tokens are actually bound to that specific client request. Its goal is to also mitigate on replay attacks, in fact this was the original implementation of such prevention that made into OIDC in 2014, but never in OAuth since the PKCE spec was already in draft (which did brought a number of advantages IMHO). This theoretically could be made as an opt-out feature, but since we are using OIDC as a SSO identity provider it would also mean that such IdP should conform to the best practices of the last decade or so.

P.S.: To check for nonce I limited myself to only decode the id_token which means we are not actually checking its signature, this is for two reasons:

1. nuxt-auth-utils doesn't have any logic in managing all the uses and storage of JWTs and JWKs
2. we are anyway going to do a call to the IdP right after to fetch user's data. This means that in case of a replay attack we save the IdP from what would be a spam call (since our session has already been compromised) or the sign corruption has been done inside the IdP itself, meaning that also the access_token is compromised and we have no way to know or mitigate this.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/atinux/nuxt-auth-utils@491

commit: 2935fc0