[DRAFT] Set and check nonce during authentication sequence. #840

creechy · 2025-01-09T17:55:39Z

PR Checklist

A description of the changes is added to the description of this PR.
If there is a related issue, make sure it is linked to this PR.
If you've fixed a bug or added code that should be tested, add tests!
If you've added or modified a feature, documentation in docs is updated

Description of changes

This fixes a potential replay attack by setting a nonce value and validating the nonce is returned in the id-token.

creechy · 2025-01-09T18:11:44Z

@dan1elt0m - proposed enhancement to add nonce validation

dan1elt0m · 2025-01-09T20:37:10Z

LGTM

ognis1205 · 2025-01-09T21:16:52Z

If I understand correctly, the nonce is intended to link the client (the relying party in OIDC terms) session with the issued ID token. In this context, where the CLI application functions as the client, and considering that the same CLI application is not executed after the ID Token is issued (meaning there is virtually no opportunity for an attacker to perform a replay attack), it seems that verifying the nonce may not add significant value. Additionally, in OAuth, the nonce is not a required parameter for authorization flows.

I believe the primary concern here may not be a replay attack but rather an authorization code interception, MITM, and CSRF. Would it be more appropriate to consider implementing an authorization flow with PKCE instead of using a nonce? 🤔

dan1elt0m · 2025-01-09T22:54:48Z

Nonce provides replay protection and according to Google's openid-connect documentation, the nonce is required for both the server (auth code flow) and the implicit flow. IIRC, in the auth code flow it prevents hackers from injecting their auth response into the redirect URI of the server.

ognis1205 · 2025-01-10T00:47:13Z

The "client" mentioned above was intended to function as a client for the resource server. Strictly speaking, this CLI application (AuthCli) is not a client of the resource server, in other words, the series of processes following this authorization flow, which utilizes an access token, acts as the client to the resource server; however, since the nonce lifespan aligns with the session of AuthCli, I referred to it as a client. I understand that the nonce is associated with the client session to prevent replay attacks, but I believe it is highly unlikely for a malicious user to launch a replay attack on AuthCli. ~~For similar reasons, I believe that~~ validating the state value (which does not appear to be implemented in the current setup) ~~may not be particularly meaningful here.~~

Although I am uncertain about the rationale behind Google's documentation specifying nonce as required, the OIDC specifications referenced in the same documentation appear to indicate that nonce is optional in the authorization code flow. In this CLI application case, PKCE + state seems to provide sufficient security. That said, I do not have a strong objection to this draft.

Reference

creechy · 2025-01-10T16:48:48Z

@ognis1205 @dan1elt0m I can see both your points. I don't think there is any particular not to do this, however optional and unlikely a replay attack could be.

ognis1205 · 2025-01-20T20:37:24Z

As mentioned in the comment here, if we continue using the current implementation of the Authorization Code Flow in AuthCli, I believe credentials such as tokens should also be handled via the back channel.

However, if we replace it with the Authorization Code Flow with PKCE (PKCE Flow) and remove the client_secret from the request, the CLI could be considered a public native application, which would conform to standard security implementations (Even in this case, I think it would be necessary to introduce a separate property rather than reusing the server property).

That said, in Google's OIDC implementation, the client_secret seems to be treated as a required field, even if it is PKCE Flow, so the ideal approach would be to switch to the PKCE Flow while clearly documenting this point.

Additionally, since the UI implementation for both Google and Okta clients is equivalent to the Authorization Code Flow with PKCE, adopting this approach would enhance consistency across the system as a whole.

Google OIDC Configuration Enpoint
Google OIDC Documentation
Google OAuth2.0 Token Exchange Apigee

Set and check nonce during authentication sequence.

df931ae

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[DRAFT] Set and check nonce during authentication sequence. #840

[DRAFT] Set and check nonce during authentication sequence. #840

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[DRAFT] Set and check nonce during authentication sequence. #840

Are you sure you want to change the base?

[DRAFT] Set and check nonce during authentication sequence. #840

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!