From c7495a6ae31cf0e18a2e68f742fe26c168e0ee12 Mon Sep 17 00:00:00 2001
From: William Kim <wkim@mitre.org>
Date: Fri, 9 Aug 2013 10:00:53 -0400
Subject: [PATCH] Revert "made having a nonce not required for id tokens iss
 #464"

This reverts commit d0486cc1ece93eee661381ccb2ef4b5d6fdec8dd.
---
 .../client/OIDCAuthenticationFilter.java      | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index b7baa62e9..537755390 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -402,23 +402,24 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 					throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());
 				}
 
-				// compare the nonce to our stored claim if there is a nonce present
-				String nonce = idClaims.getStringClaim("nonce");
+				// compare the nonce to our stored claim
+				// would be nice to have a getClaimAsString() kind of method from nimbus..
+				String nonce = (String) idClaims.getClaim("nonce");
 				if (Strings.isNullOrEmpty(nonce)) {
 
-					logger.warn("ID token did not contain a nonce claim.");
-				
-				} else {
+					logger.error("ID token did not contain a nonce claim.");
 
-					String storedNonce = getStoredNonce(session);
-					if (!nonce.equals(storedNonce)) {
-						logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
-								+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
-	
-						throw new AuthenticationServiceException(
-								"Possible replay attack detected! The comparison of the nonce in the returned "
-										+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
-					}
+					throw new AuthenticationServiceException("ID token did not contain a nonce claim.");
+				}
+
+				String storedNonce = getStoredNonce(session);
+				if (!nonce.equals(storedNonce)) {
+					logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
+							+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
+
+					throw new AuthenticationServiceException(
+							"Possible replay attack detected! The comparison of the nonce in the returned "
+									+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
 				}
 
 				// pull the subject (user id) out as a claim on the id_token