From c0d353d7ce14353070fbfa7842ac2eca44a6bed1 Mon Sep 17 00:00:00 2001
From: Mike Derryberry <derryberry@mitre.org>
Date: Wed, 8 Aug 2012 16:18:52 -0400
Subject: [PATCH] removed state parameter from claims. added way to create
 random nonce value

---
 .../connect/client/OIDCSignedRequestFilter.java       | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java
index ea1a10e7e..143cdb383 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java
@@ -1,11 +1,14 @@
 package org.mitre.openid.connect.client;
 
 import java.io.IOException;
+import java.math.BigInteger;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.Map;
 
 import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -113,8 +116,12 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter {
 		claims.setClaim("client_id", serverConfiguration.getClientId());
 		claims.setClaim("scope", scope);
 		claims.setClaim("redirect_uri", AbstractOIDCAuthenticationFilter.buildRedirectURI(request, null));
-		claims.setClaim("nonce", NONCE_SIGNATURE_COOKIE_NAME);
-		claims.setClaim("state", "af0ifjsldkj");
+		
+		//create random nonce
+		String nonce = new BigInteger(50, new SecureRandom()).toString(16);
+		Cookie nonceCookie = new Cookie(NONCE_SIGNATURE_COOKIE_NAME, sign(signer, privateKey, nonce.getBytes()));
+
+		claims.setClaim("nonce", nonceCookie);
 		
 		try {
 			signingAndValidationService.signJwt(jwt);