react-oidc-context Should the library be automatically generating nonce and state parameter values?

Should the library be automatically generating nonce and state parameter values?

Open kurt-peters-seagull-com opened this issue 1 year ago • 1 comments

As part of the signin flow, I know that the library allows for nonce and state values to be manually specified, like so:

signinRedirect({
   nonce: GenerateRandom(), // function implementation left up to the user
   state: GenerateRandom(),
})

For some auth providers (like Auth0), these state and nonce parameters are required. But I'm wondering if this library is supposed to be generating those parameters automatically or if that's something that I need to be doing myself?

Feb 05 '24 18:02 kurt-peters-seagull-com

The current approach is that you have to do it by your own, as different IDPs may need different parameters.

Are you sure you need nonce?

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
https://devforum.okta.com/t/authorization-code-flow-is-the-nonce-parameter-necessary/12150
- If ‘response_type’ is code, a ‘nonce’ value isn’t required.

Feb 06 '24 09:02 pamapa

react-oidc-context react-oidc-context copied to clipboard

Should the library be automatically generating nonce and state parameter values?

react-oidc-context
react-oidc-context copied to clipboard