vaulttec/sonar-auth-oidc

ID Token Validation

Closed this issue · 0 comments

Eliassoren commented

Hi,

In your OidcClient class you request ID token without performing the required checks to ensure its integrity. It is recommended to perform five checks according to the ID token validation chapter in the OIDC spec.

Since you are using the nimbus library for oaurh/oidc, you can use the IdTokenValidator.

Retrieve and pass the following parameters to set up IdTokenValidator.

  • Issuer
  • ClientID
  • JWS Algorithm
  • jwkSetUri : (URL of the OP's JSON Web Key Set)

Then parse the idToken JWT.
Retrieve stored nonce sent i authentication request.
Call the validate function in idTokenValidator

  • Passing parsed idToken
  • Passing nonce

The idTokenValidator performs the following checks for you:

  • Checks that ID token JWS algorithm matches the expected algorithm.
  • Checks the ID token signature or HMAC using the provided key material, from the client secret or JWK set URL in the discovery document.
  • Checks if the ID token iss and audience aud parameters match the expected IdP and client_id.
  • Checks that the ID token is within the specified validity window (between iat and exp time, given a 1 minute leeway to accommodate clock skew).
  • Checks the nonce value in the request matches the expected one, if one is expected.

See the guide from Connect2id (https://connect2id.com/blog/how-to-validate-an-openid-connect-id-token) for more information