[Openid-specs-ab] Issue #1052: make clear that nonce is always required for Hybrid flows (openid/connect)

Brian Campbell bcampbell at pingidentity.com
Wed Oct 3 19:04:18 UTC 2018


I firmly believe that that assumption ("that that nonce is always required
for Hybrid flows no matter where the id_token is returned from") is *not
correct*.

Things would have been simpler, if Connect had just made nonce mandatory
for all authentication requests. But that's not the case.

The nonce parameter and claim are used to protect against replay of an ID
token. Direct replay or injection of an ID token is only possible when
returned from the Authorization Endpoint because that flows through the
browser via some sort of redirection. When an ID token is returned from the
Token Endpoint, it's over a direct HTTPS connection between client and
server and there's no opportunity for replay or injection of an ID token.
There is opportunity there for replay or injection of the authorization
code but there are other protections for that including one time use of the
code and redirect_uri checking on the access token request. That was the
logic underlying nonce being required for ID tokens when returned from the
Authorization Endpoint and optional for ID tokens when returned from the
Token Endpoint (and in turn when it is required on the authentication
request). That's why nonce is required for OIDC implicit flow (ID token
returned from the Authorization Endpoint) and optional for OIDC code flow
(ID token returned from the Token Endpoint). Consistent with that, for
hybrid it depends on the response_type with code id_token or code id_token
token requiring nonce while it's optional for code token.

Both Connect Core 3.3.2.11 and 3.3.2.12 are about the hybrid flow where ID
tokens when returned from the Authorization Endpoint. Which is what the
text "apply to an ID Token returned from the Authorization Endpoint" and
"the contents of an ID Token returned from the Authorization Endpoint"
says. Whereas 3.3.3.6 and 3.3.3.7 are about ID tokens when returned from
the Token Endpoint.

Changing Core so that nonce is always required for Hybrid flows no matter
where the id_token is returned from would be a breaking change, which
really isn't okay for an errata.

Per spec, our AS/OP implementation only requires nonce on authentication
requests that have a response_type that contains id_token and would result
in an ID token returned from the Authorization Endpoint. It's worked that
way, per spec, since 2013. And it was OpenID Certified as a Hybrid OP (and
other profiles) in in 2015.

https://github.com/rohe/oidctest/issues/111#issuecomment-426450954 is
indicative of an issue with the test suite. Which, if not fixed, puts us in
the very bad position of having to introduce a breaking change to product
in-order to re-certify.

[note: the above was copied from a comment made on Issue #1052
<https://bitbucket.org/openid/connect/issues/1052>]

On Tue, Oct 2, 2018 at 5:47 PM Hans Zandbelt via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> New issue 1052: make clear that nonce is always required for Hybrid flows
>
> https://bitbucket.org/openid/connect/issues/1052/make-clear-that-nonce-is-always-required
>
> Hans Zandbelt:
>
> Assuming that that `nonce` is always required for Hybrid flows no matter
> where the `id_token` is returned from, also following:
> https://github.com/rohe/oidctest/issues/111#issuecomment-426450954
>
> In section 3.3.2.11.  ID Token for the Core spec,
> https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken, it
> describes the ID token in the Hybrid flow, which says
>
> > When using the Hybrid Flow, these additional requirements for the
> following ID Token
> > Claims apply to an ID Token returned from the Authorization Endpoint:
>
> Since an ID Token may also be returned from the Token Endpoint, that
> sentence seems to be too restrictive and the last part "returned from the
> Authorization Endpoint" should be removed.
>
> FWIW: this may be a left-over from
>
> > 3.3.2.12.  ID Token Validation
>
> where ID token validation is discussed for an `id_token` returned from the
> Authorization Endpoint, as opposed to:
>
> > 3.3.3.7.  ID Token Validation
>
> where ID token validation is discussed for an `id_token` returned from the
> Token Endpoint.
>
> OTOH: if section 3.3.2.11. is only about ID tokens returned from the
> Authorization Endpoint and it is supposed to be the counterpart of
>
> > 3.3.3.6.  ID Token
>
> where validation of the contents of an ID Token returned from the Token
> Endpoint is discussed, then the following should be added to the latter:
>
> > Use of the nonce Claim is REQUIRED for this flow.
>
> otherwise it is not clear that `nonce` is always required in Hybrid flows
> no matter where the ID token is returned from.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20181003/db68ce45/attachment.html>


More information about the Openid-specs-ab mailing list