Add OIDC nonce to the authorisation request
Basics
Logistics
Basics
Logistics
Description
Environment
None
Activity
Show:
Philip Smart December 3, 2020 at 3:57 PMEdited
Have added a capabilities interface in much the same way as the StorageService. Will allow the Nimbus client to add an OIDC nonce, but will keep the existing behaviour of the DuoWeb SDK.
I think they really should be adding the nonce. They have support for it in their validator. Perhaps there is a reason it is not useful in the auth_code flow that I do not know about. Or they overlooked that part of their API - I could raise a ticket with them on GitHub.
Philip Smart December 3, 2020 at 3:56 PMEdited
Adding this link for my own reference - https://docs.google.com/document/d/15JetlsX2Wk3OvNqdjmi-wPoBr1-KIm1lDIfMgF6sB74/edit#heading=h.v816heh8w21r
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
Philip SmartReporter
Philip SmartComponents
Fix versions
Affects versions
Created December 1, 2020 at 9:28 AM
Updated March 24, 2021 at 3:41 PM
Resolved December 4, 2020 at 2:31 PM
The Duo OP supports the use of a nonce in the authorisation request which is echoed back in the id_token and can be used to mitigate reply attacks.
The Duo WebSDK v4 (1.0.3) API does not directly support setting this. It seems easy to add/validate it using the Nimbus client module.
As the Duo WebSDK does not support it, we either need a way to inform the controller of the capabilities of the client before it constructs the authorisation request URL; Or the WebSDK adaptor class would need to add it to the URL such that both clients operate in the same way (That conforms to a newly amended API contract).