jsonwebtoken icon indicating copy to clipboard operation
jsonwebtoken copied to clipboard
verified publisher icon Keats

Nonce validation

Open aagmv opened this issue 2 years ago • 1 comments

OIDC has a nonce mechanism that gets included in the JWT to prevent replay attacks. Comparing it after decoding isn't particularly difficult, but neither would be checking the issuer or audience.

It still might be useful to integrate it as part of the decode-and-validate step. This could maybe done be similarly to the set_required_spec_claims method, with a set_expected_claim_values.

The downside is that it forces a new Validation object to be allocated on every request because the nonce changes every time.

fn process_token(raw_token: &str, nonce: &str) -> Result<Decoded> {
   let mut val = Validation::default();
   /// ...
   val.set_expected_claim_values(HashMap::from([("nonce", nonce)]))

   decode::<Claims>(raw_token, todo!(), &val)
}

aagmv avatar Dec 14 '23 15:12 aagmv

Hmm I don't think this would belong to the library because of the need to instantiate a new Validation object as you say.

Keats avatar Dec 17 '23 20:12 Keats