oidc-client icon indicating copy to clipboard operation
oidc-client copied to clipboard

Published 20 hours ago verified publisher icon AxaFrance

Does this library verify the state param and/or nonce ?

Open kareemsakr opened this issue 2 years ago • 17 comments

Issue and Steps to Reproduce

Intercept the authorization code or access token coming from the auth server and exchange them with different ones. Does this library

Versions

"@axa-fr/react-oidc": "5.10.9"

kareemsakr avatar Aug 10 '22 14:08 kareemsakr

Hi @kareemsakr,

AppAuthJS does this behind the scene during the signin phase. I have to check AppAuthJs code to be sure.

You are the second one to ask this question ^^

guillaume-chervet avatar Aug 10 '22 14:08 guillaume-chervet

It seems AppAuthJs does not do this, i will need to implement it: https://github.com/openid/AppAuth-JS/issues/65 It does not seem to hard to implement => https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

guillaume-chervet avatar Aug 10 '22 14:08 guillaume-chervet

Can you point me to where this logic should be placed ? Within the service worker ?

It seems AppAuthJs does not do this, i will need to implement it: openid/AppAuth-JS#65 It does not seem to hard to implement => https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

kareemsakr avatar Aug 10 '22 17:08 kareemsakr

It should be inside ServiceWorker when activated and in js client side when ServiceWorker is not activated.

guillaume-chervet avatar Aug 10 '22 20:08 guillaume-chervet

Hi @kareemsakr , i will look at it at the end of the month after my holiday.

guillaume-chervet avatar Aug 16 '22 09:08 guillaume-chervet

That would be amazing, thank you. Enjoy your time off

kareemsakr avatar Aug 16 '22 13:08 kareemsakr

I have started I think it will be quick to implement.

guillaume-chervet avatar Aug 23 '22 16:08 guillaume-chervet

I have published the nonce check. It will increase a lot the security (a lot in service worker mode).

guillaume-chervet avatar Aug 25 '22 13:08 guillaume-chervet

@kareemsakr , does it resolve your need?

guillaume-chervet avatar Aug 30 '22 05:08 guillaume-chervet

Hello @guillaume-chervet, thanks for your work,

is there a reason to have the nonce to compare to set to null as parameter in this line ? https://github.com/AxaGuilDEv/react-oidc/pull/842/files#diff-a6cedeb0a845a62e127dce959c0dae98412391726580079fbc7664a64e4efdefR1007 image

In my case, during a refresh_token, it fails to check the nonce:

i added following debug log to check in function:

and got image

so check failed and token is considered invalid

i tried with both service worker or without, both same result

fffan64 avatar Sep 07 '22 05:09 fffan64

Hi @fffan64 , Thank you for your issue.

I am not sure but i think you need to update the serviceworker.js file.

The service worker save the nonce and the javascript client does not know it after login. The updated service worker check the nonce and set it to null after that. So you will have null ===null.

guillaume-chervet avatar Sep 07 '22 05:09 guillaume-chervet

Sorry i'm not sure what i should update, can you guide me ?

but i dont think it is related to the OidcServiceWorker.js file as it doesnt work also if i dont use service worker.

in case of refresh scenario, if there is a nonce in the id token last retrieced, it is used directly for the comparison with null, thus failing.

fffan64 avatar Sep 07 '22 06:09 fffan64

@fffan64 , what is your configuration?

guillaume-chervet avatar Sep 07 '22 06:09 guillaume-chervet

for now:

const oidcConfiguration: OidcConfiguration = {
  client_id: process.env.REACT_APP_OIDC_CLIENT_ID || '',
  redirect_uri: OIDC_REDIRECT_URI,
  silent_redirect_uri: OIDC_SILENT_REDIRECT_URI,
  scope: process.env.REACT_APP_OIDC_SCOPE || '',
  authority: process.env.REACT_APP_OIDC_AUTHORITY || '',
  // service_worker_relative_url: '/OidcServiceWorker.js',
  // service_worker_only: true,
  refresh_time_before_tokens_expiration_in_second: 10,
  // monitor_session: true,
  extras: { prompt: 'consent' },
};

using a local oidc server, node-oidc-provider v6: https://github.com/panva/node-oidc-provider/tree/v6.x

fffan64 avatar Sep 07 '22 06:09 fffan64

for you information @guillaume-chervet ,

if i use the https://demo.duendesoftware.com/ as oidc server to connect with following conf

client id: interactive.confidential.short
grant type: authorization code with PKCE and client credentials
client secret: secret
access token lifetime: 75 seconds
allowed scopes: openid profile email api offline_access

it works, but this is because their id token, once refreshed, doesnt send a nonce in the payload, so it is undefined, and test is skipped

fffan64 avatar Sep 07 '22 06:09 fffan64

@guillaume-chervet just an idea, but while searching online i found this :

https://nice-hill-002425310.azurestaticapps.net/docs/documentation/configuration#ignorenonceafterrefresh

it is angular but the lib allow to check or not the nonce if it is after a refresh, maybe this can be added as an option ?

fffan64 avatar Sep 07 '22 07:09 fffan64

Hi @fffan64 ,

I have published a fix https://github.com/AxaGuilDEv/react-oidc/commit/385a3fcc63592d59dcc13e9d2b995ebf7b765faf Does it work for you with and without service worker?

guillaume-chervet avatar Sep 07 '22 08:09 guillaume-chervet

hi @fffan64

https://nice-hill-002425310.azurestaticapps.net/docs/documentation/configuration#ignorenonceafterrefresh it is angular but the lib allow to check or not the nonce if it is after a refresh, maybe this can be added as an option ?

sure yes it can, very sorry for the delay

guillaume-chervet avatar Nov 25 '22 17:11 guillaume-chervet

hi @kareemsakr , @fffan64 ,

Thank you for your issue. It has been done from a long time. refreshing token nonce check is done automaticaly if nonce is present inside service worker or not (no need of a configured property).

Feel free to reopen the issue if needed.

guillaume-chervet avatar Aug 08 '23 08:08 guillaume-chervet