github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "made having a nonce not required for id tokens iss #464" 

This reverts commit d0486cc1ec.
pull/477/head
William Kim 2013-08-09 10:00:53 -04:00
parent d0486cc1ec
commit c7495a6ae3
1 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
View File

@ -402,23 +402,24 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience()); throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());
} }
// compare the nonce to our stored claim if there is a nonce present // compare the nonce to our stored claim
String nonce = idClaims.getStringClaim("nonce"); // would be nice to have a getClaimAsString() kind of method from nimbus..
String nonce = (String) idClaims.getClaim("nonce");
if (Strings.isNullOrEmpty(nonce)) { if (Strings.isNullOrEmpty(nonce)) {
logger.warn("ID token did not contain a nonce claim."); logger.error("ID token did not contain a nonce claim.");
} else {
String storedNonce = getStoredNonce(session); throw new AuthenticationServiceException("ID token did not contain a nonce claim.");
if (!nonce.equals(storedNonce)) { }
logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + "."); String storedNonce = getStoredNonce(session);
if (!nonce.equals(storedNonce)) {
throw new AuthenticationServiceException( logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
"Possible replay attack detected! The comparison of the nonce in the returned " + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
} throw new AuthenticationServiceException(
"Possible replay attack detected! The comparison of the nonce in the returned "
+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
} }
// pull the subject (user id) out as a claim on the id_token // pull the subject (user id) out as a claim on the id_token