bug: Cognito does not create a nonce for the id token if one is provided with the authorization request

[arylwen]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Authorization request:

https://localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/authorize?client_id=2bk6di6h81j4dw823c95qm4nr3&redirect_uri=https%3A%2F%2F44bcfb9d.cloudfront.localhost.localstack.cloud&response_type=code&scope=openid%20profile%20email&nonce=51d70c0fcc92899db2a8c6fbfbb9a38cf0IpKZfH6&state=8d7b5b72c0c2a43862d98478e5927d15d8u3ArarE&code_challenge=FA7RCSdNIweiuCr7ThHi0eBMkrhklCVlEe28brPF_A0&code_challenge_method=S256

Login: https://localhost.localstack.cloud:4566/_aws/cognito-idp/login?client_id=2bk6di6h81j4dw823c95qm4nr3&redirect_uri=https%3A%2F%2F44bcfb9d.cloudfront.localhost.localstack.cloud&response_type=code&scope=openid%20profile%20email&nonce=51d70c0fcc92899db2a8c6fbfbb9a38cf0IpKZfH6&state=8d7b5b72c0c2a43862d98478e5927d15d8u3ArarE&code_challenge=FA7RCSdNIweiuCr7ThHi0eBMkrhklCVlEe28brPF_A0&code_challenge_method=S256

Token: http://localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token grant_type=authorization_code&client_id=2bk6di6h81j4dw823c95qm4nr3&code_verifier=c46b788c439bdd1c26d1f593559bf4fc7a726bab9675b07b9edd6ad70eb4ceQ4CXv&code=927630&redirect_uri=https%3A%2F%2F44bcfb9d.cloudfront.localhost.localstack.cloud

Response: { "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjA4MjY1OWJkLTE3ZGUtNGI5ZS05OGYzLWVjOGNmYTJiNzAyZiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjYxMDg5NjEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QubG9jYWxzdGFjay5jbG91ZDo0NTY2L3VzLWVhc3QtMV81Yzg3OTBkMjE0MjM0MTkyYTlmYzgzMWQ2NDQ4ZDQzMCIsInN1YiI6Ijk3NGQzNWU2LTg2YzAtNGQ5NS1iZDQ3LTZjYzk3Mjg2YzZhZCIsImF1dGhfdGltZSI6MTcyNjEwNTM2MSwiaWF0IjoxNzI2MTA1MzYxLCJldmVudF9pZCI6ImY0MTllZTk5LTU3NGUtNDI2Ni05MTI5LTU2YTIxMTVlNGFiZiIsInRva2VuX3VzZSI6ImFjY2VzcyIsInVzZXJuYW1lIjoiYWRtaW4iLCJqdGkiOiIwZTg4MjE5NC1iMjcwLTRiZDQtYjg4MS03MDc2MDI5NDg2NWYiLCJjbGllbnRfaWQiOiIyYms2ZGk2aDgxajRkdzgyM2M5NXFtNG5yMyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4ifQ.MvopENfDTuRNsyD88iEe8QC-WY3p8aOAkeVnUd8NepcmGMTx52GhYN3zR_XO1yOTHIXGtvJIne6DiwLuCXPBKL61j4O3_S65nmCG88vIqTnyBN7hg4fCLbNVMYkfmjFN4IpOyQCRxLUI4auHkf28f5sh5XoK_sQpQrM96iSzzQPaT1B9xv5Ij-CFkUKicBOtzRan0izYgmPx71Qvh0jHg7bPLgNu4DHzy6461_ZAO9-Azpea3QDuNHDWQd5nls-ojU0hqhaUYmTipzwLhTLfwAJqN5Wss4u-igffmXVlzWzdyBld4AWw-aVDjHOjjD9oUh1ghg4z9cyGddDg8mjhdQ", "expires_in": 3600, "token_type": "Bearer", "refresh_token": "331f0486", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjA4MjY1OWJkLTE3ZGUtNGI5ZS05OGYzLWVjOGNmYTJiNzAyZiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjYxMDg5NjEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QubG9jYWxzdGFjay5jbG91ZDo0NTY2L3VzLWVhc3QtMV81Yzg3OTBkMjE0MjM0MTkyYTlmYzgzMWQ2NDQ4ZDQzMCIsInN1YiI6Ijk3NGQzNWU2LTg2YzAtNGQ5NS1iZDQ3LTZjYzk3Mjg2YzZhZCIsImF1dGhfdGltZSI6MTcyNjEwNTM2MSwiaWF0IjoxNzI2MTA1MzYxLCJldmVudF9pZCI6ImY0MTllZTk5LTU3NGUtNDI2Ni05MTI5LTU2YTIxMTVlNGFiZiIsInRva2VuX3VzZSI6ImlkIiwiY29nbml0bzp1c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJnYWJyaWVsYUBwbG90dG8uaW5mbyIsImF1ZCI6IjJiazZkaTZoODFqNGR3ODIzYzk1cW00bnIzIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiY3VzdG9tOnVzZXJSb2xlIjoiU3lzdGVtQWRtaW4iLCJjb2duaXRvOnVzZXJfc3RhdHVzIjoiQ09ORklSTUVEIn0.zcb5tnahFefpI1BgAb3SW0rUYAheFHaoCL5y_58nqphk0_kO9a8Mgy6OLKN_C10qbSG9qL6cyteH-DCSOs9idWS1Qcnn2-KYYwnayej5V7YIC7xgL9-ps8x8f1v5zgRzqbqtnMzeRFdSNpmw1WCi9VuDemmUfoqlCGf-_OCJCeenZIIe37JjrgGvRLiTRacHIcXGNLapTrLOliY_SGwnVz7gbiGA2PmNgAmMpleRhKTZI1A4wO3cfzFU7h8CiQIzUobKOX7erjBzEz9dNQF0dszZUeeTQMadRR9TAPEJAs2xtg_yePAi9US4aqdNdCz2T7Z_r9cExGvthqq-zXy2pA" }

Nonce is missing from the id token

Expected Behavior

Nonce is expected to be present in the id token since it was provided with the authorization request. This breaks clients like angular-oauth-oidc-client. Token validation and authentication will fail if not present.

// id_token C9: The value of the nonce Claim MUST be checked to verify that it is the same value as the one // that was sent in the Authentication Request.The Client SHOULD check the nonce value for replay attacks. // The precise method for detecting replay attacks is Client specific.

// However the nonce claim SHOULD not be present for the refresh_token grant type // https://bitbucket.org/openid/connect/issues/1025/ambiguity-with-how-nonce-is-handled-on // The current spec is ambiguous and KeyCloak does send it. validateIdTokenNonce( dataIdToken: any, localNonce: any, ignoreNonceAfterRefresh: boolean, configuration: OpenIdConfiguration ): boolean { const isFromRefreshToken = (dataIdToken.nonce === undefined || ignoreNonceAfterRefresh) && localNonce === TokenValidationService.refreshTokenNoncePlaceholder;

if (!isFromRefreshToken && dataIdToken.nonce !== localNonce) {
  this.loggerService.logDebug(
    configuration,
    'Validate_id_token_nonce failed, dataIdToken.nonce: ' +
      dataIdToken.nonce +
      ' local_nonce:' +
      localNonce
  );

  return false;
}

return true;

}

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

docker compose up

Environment

- OS: Ubuntu 20.04
- LocalStack: pro latest
  LocalStack version: 3.7
  LocalStack Docker image sha: 89c502159865d27a1e46147728bccd932eea62ec6d35be93eb2bd6c95d0ba2cb
  LocalStack build date:
  LocalStack build git hash:

Anything else?

No response

[localstack-bot]

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

[localstack-bot]

Hello 👋! It looks like this issue hasn’t been active in longer than five months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[mountmike]

I am also experiencing this issue and it is preventing me from moving forward.

The nonce is missing in the id_token claims when running Cognito with LocalStack. The nonce is included in the id_token when running the Cognito with AWS.

Should I open a new ticket?