ueberauth icon indicating copy to clipboard operation
ueberauth copied to clipboard
verified publisher icon ueberauth

Support for nonces

Open aloukissas opened this issue 2 years ago • 1 comments

Problem Statement

I'm implementing a custom oauth2 strategy at the moment and the documentation suggests using a nonce (in addition to the state param) to avoid replay attacks.

Solution Brainstorm

I would imagine this would look quite similar to the PR that added the state param. Happy to submit a PR for this but I don't have much security background, so maybe someone for the core team can help here?

aloukissas avatar Jun 27 '23 17:06 aloukissas

I am braindead reading things like https://auth0.com/docs/secure/attack-protection/state-parameters#csrf-attacks and figuring out the REAL differences between state and nonce https://community.auth0.com/t/state-vs-nonce-in-auth0-js/21761

.... you got love oauth2 simplicity ...

We need to read the nonce from the query params if the conn is in the strategies. At the Ueberauth level (not the strategy), the question is: do we must generate a nonce if it doesn't exist?

yordis avatar Sep 12 '23 04:09 yordis