AuthorizationRequest.Builder.setNonce(null) doesn't disable nonce verification like skipNonceVerification once did.
champeauxr opened this issue · 0 comments
Configuration
- Version: 0.11.1
- Integration: native Kotlin
- Identity provider: private
Issue Description
My project is stuck on version 0.8.1 because of a change @agologan made on March 31, 2021 (for version 0.9.0) that removed the skipNonceVerification option in favor of setNonce(null).
Remove skipNonceVerification in favor of setNonce(null)
However that doesn't work in my case. For whatever reason, the identity provider I am using returns a nonce in the IdToken even though the nonce was set to null in the AuthorizationRequest. Therefore, since the request's nonce is null and the token's nonce is populated, the following check in IdToken.dart:292 returns false and causes an exception to be thrown in version 0.9.0 and above.
String expectedNonce = tokenRequest.nonce;
if (!TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
new IdTokenException("Nonce mismatch"));
}
This code used to be the following in version 0.8.1. Since I was able to specify the skipNonceVerification option, the verification was skipped and no exception was thrown.
String expectedNonce = tokenRequest.nonce;
if (!skipNonceVerification && !TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
new IdTokenException("Nonce mismatch"));
}
I propose the following change that adds a expectedNonce != null condition to take the place of the !skipNonceVerification from 0.8.1, while maintaining the use of setNonce(null) to skip nonce verification.
String expectedNonce = tokenRequest.nonce;
if (expectedNonce != null && !TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
new IdTokenException("Nonce mismatch"));
}