Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Use the nonce parameter in OIDC authorization request to mitigate replay attacks #2276

Closed
2 tasks
jirutka opened this issue Dec 10, 2024 · 1 comment · Fixed by #2328
Closed
2 tasks
Labels
enhancement New feature or request OIDC OpenID Connect related issues
Milestone

Comments

@jirutka
Copy link

jirutka commented Dec 10, 2024

Use case

The nonce parameter is used to mitigate replay attacks. It’s not required by the OpenID Connect Core specification, but it’s required by some OIDC/OAuth profiles, e.g. Financial-grade API Security Profile 1.0 and FAPI 2.0 Security Profile.

Description

OpenID Connect Core 1.0 – 3.1.2.1 Authentication Request:

nonce String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature

How can it be implemented?

No response

@jirutka jirutka added the enhancement New feature or request label Dec 10, 2024
@jirutka jirutka changed the title [Feature] Set the nonce parameter in OIDC authorization request to mitigate replay attacks [Feature] Use the nonce parameter in OIDC authorization request to mitigate replay attacks Dec 10, 2024
@kradalby
Copy link
Collaborator

There is a PR open for PCKE, which I think is to cover MitM and not replay, is this somehow related still? #1812

Any references to how others implement this in go would also be appreciated as reading spec and reversing it is very time consuming.

@kradalby kradalby added this to the v0.24.0 milestone Dec 30, 2024
@kradalby kradalby added the OIDC OpenID Connect related issues label Jan 6, 2025
kradalby added a commit to kradalby/headscale that referenced this issue Jan 6, 2025
Fixes juanfont#2276

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
kradalby added a commit to kradalby/headscale that referenced this issue Jan 6, 2025
Fixes juanfont#2276

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
kradalby added a commit to kradalby/headscale that referenced this issue Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request OIDC OpenID Connect related issues
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants