Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix IDX21323: RequireNonce is 'False' during token refreshClient #240

Merged
merged 3 commits into from
Mar 9, 2024
Merged

Fix IDX21323: RequireNonce is 'False' during token refreshClient #240

merged 3 commits into from
Mar 9, 2024

Conversation

halter73
Copy link
Member

@halter73 halter73 commented Mar 8, 2024
edited
Loading

See https://security.stackexchange.com/questions/147529/openid-connect-nonce-replay-attack and IdentityServer/IdentityServer4#2180 for the purpose of the nonce and why it's unnecessary for the token refresh.

This also switches to using OpenIdConnectOptions.Backchannel rather than its own HttpClient so it gets an OIDC-specific user agent and includes any other customizations that might be necessary for communicating with the given OIDC provider.

Fixes dotnet/aspnetcore#53585

@halter73 halter73 requested a review from guardrex March 8, 2024 23:48
guardrex
guardrex approved these changes Mar 9, 2024
View reviewed changes
Copy link
Collaborator

@guardrex guardrex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only updated the namespaces to match the rest of the app.

@guardrex guardrex merged commit c98a9cc into main Mar 9, 2024
2 checks passed
@guardrex guardrex deleted the halter73/53585 branch March 9, 2024 12:27
@guardrex guardrex mentioned this pull request Mar 12, 2024
Open
This was referenced Mar 19, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guardrex guardrex guardrex approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

8.0 BlazorWebAppOidc IDX21323: RequireNonce is 'False'
2 participants
@halter73 @guardrex