AuthorizationRequest.Builder.setNonce(null) doesn't disable nonce verification like skipNonceVerification once did.
champeauxr opened this issue · 0 comments
Configuration
- Version: 0.11.1
- Integration: native Kotlin
- Identity provider: private
Issue Description
My project is stuck on version 0.8.1 because of a change @agologan made on March 31, 2021 (for version 0.9.0) that removed the skipNonceVerification
option in favor of setNonce(null)
.
Remove skipNonceVerification in favor of setNonce(null)
However that doesn't work in my case. For whatever reason, the identity provider I am using returns a nonce in the IdToken
even though the nonce was set to null in the AuthorizationRequest
. Therefore, since the request's nonce is null and the token's nonce is populated, the following check in IdToken.dart:292
returns false and causes an exception to be thrown in version 0.9.0 and above.
String expectedNonce = tokenRequest.nonce;
if (!TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
new IdTokenException("Nonce mismatch"));
}
This code used to be the following in version 0.8.1. Since I was able to specify the skipNonceVerification
option, the verification was skipped and no exception was thrown.
String expectedNonce = tokenRequest.nonce;
if (!skipNonceVerification && !TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
new IdTokenException("Nonce mismatch"));
}
I propose the following change that adds a expectedNonce != null
condition to take the place of the !skipNonceVerification
from 0.8.1, while maintaining the use of setNonce(null)
to skip nonce verification.
String expectedNonce = tokenRequest.nonce;
if (expectedNonce != null && !TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
new IdTokenException("Nonce mismatch"));
}