Skip to content

Adding nonce to Authentication Request #4442 #4629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Adding nonce to Authentication Request #4442 #4629

wants to merge 1 commit into from

Conversation

shazin
Copy link
Contributor

@shazin shazin commented Oct 13, 2017

Adding nonce to Authentication Request #4442

@rwinch rwinch added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Oct 13, 2017
jgrandja
jgrandja requested changes Oct 16, 2017
View reviewed changes
.../java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java
@@ -131,6 +132,8 @@ private void sendRedirectForAuthorization(HttpServletRequest request, HttpServle
Map<String,Object> additionalParameters = new HashMap<>();
additionalParameters.put(OAuth2Parameter.REGISTRATION_ID, clientRegistration.getRegistrationId());

String nonce = request.getParameter(OAuth2Parameter.NONCE);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nonce does not come from the HttpServletRequest. It must be produced by this filter and added as a request parameter as part of the Authentication Request.

It then needs to get correlated/validated in the ID Token

See comment for implementation notes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jgrandja I will work on these and commit

@jgrandja jgrandja removed their assignment Nov 20, 2018
@jgrandja
Copy link
Contributor

@shazin I'm going to close this PR due to inactivity. However, if your time opens up feel free to open a new PR and review the requirements and implementation notes in #4442. Thanks.

@jgrandja jgrandja closed this Nov 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja jgrandja requested changes

Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shazin @jgrandja @rwinch