ory · splaunov · Jul 11, 2024
@@ -726,7 +726,7 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context, _ session.
  }
 }
 
-func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) {
+func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken string) (*Claims, error) {
  verifier, ok := provider.(IDTokenVerifier)
  if !ok {
  return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider))
@@ -750,14 +750,7 @@ func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provid
  // If the provider does not support nonces, we don't do validation and return the claim.
  // This case only applies to Apple, as some of their devices do not support nonces.
  // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
- } else if idTokenNonce == "" {
- // A nonce was present in the JWT token, but no nonce was submitted in the flow
- return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider"))
- } else if idTokenNonce != claims.Nonce {
- // The nonce from the JWT token does not match the nonce from the flow.
- return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token"))
- }
- // Nonce checking was successful
+ }
 
  return claims, nil
 }

@@ -238,7 +238,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
  }
 
  if p.IDToken != "" {
- claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce)
+ claims, err := s.processIDToken(w, r, provider, p.IDToken)
  if err != nil {
  return nil, s.handleError(w, r, f, pid, nil, err)
  }

@@ -196,7 +196,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat
  }
 
  if p.IDToken != "" {
- claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce)
+ claims, err := s.processIDToken(w, r, provider, p.IDToken)
  if err != nil {
  return s.handleError(w, r, f, pid, nil, err)
  }

@@ -800,23 +800,6 @@ func TestStrategy(t *testing.T) {
  require.Equal(t, "No nonce was included in the id_token but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
  },
  },
- {
- name: "should fail if no nonce is supplied in request",
- idToken: `{
- "iss": "https://appleid.apple.com",
- "sub": "{{sub}}",
- "nonce": "{{nonce}}"
- }`,
- v: func(provider, token, _ string) url.Values {
- return url.Values{
- "id_token": {token},
- "provider": {provider},
- }
- },
- expect: func(t *testing.T, res *http.Response, body []byte) {
- require.Equal(t, "No nonce was provided but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
- },
- },
  {
  name: "should pass if claims are valid",
  idToken: `{
@@ -828,17 +811,6 @@ func TestStrategy(t *testing.T) {
  require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body)
  },
  },
- {
- name: "nonce mismatch",
- idToken: `{
- "iss": "https://appleid.apple.com",
- "sub": "{{sub}}",
- "nonce": "random-nonce"
- }`,
- expect: func(t *testing.T, res *http.Response, body []byte) {
- require.Equal(t, "The supplied nonce does not match the nonce from the id_token", gjson.GetBytes(body, "error.reason").String(), "%s", body)
- },
- },
  } {
  tc := tc
  t.Run(fmt.Sprintf("flow=registration/case=%s", tc.name), func(t *testing.T) {