Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: generate nounce for id_token response type #298

Merged
merged 3 commits into from
May 23, 2019
Merged

feat: generate nounce for id_token response type #298

merged 3 commits into from
May 23, 2019

Conversation

fernyettheplant
Copy link
Contributor

Justification

When I tried to use this module with id_token in the response_type using the auth0 strategy this error appeared:
image

Upon further investigation, I read that this nonce is required in the request to Auth0 (or maybe Oauth2 as a whole) to mitigate replay attacks

References

https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-06#section-4.6.2
https://auth0.com/docs/api-auth/tutorials/nonce

@ianfortier
Copy link

I have the same issue, anyone found a fix?

@WizardOfCodez
Copy link

Needs definitely a merge - Auth0 schema is useless without it

@akaNightmare
Copy link

Anyone, who can merge it - please merge!

@ysaakpr
Copy link

ysaakpr commented Apr 4, 2019

Why it is not been merged yet or if any changes required must be updated.

@ianfortier
Copy link

Anyone else still needs this? 👍

@ysaakpr
Copy link

ysaakpr commented May 11, 2019

I moved away to https://github.com/IdentityModel/oidc-client-js, because I found that the auth-module have very less active contribution happening, and the other is well maintained.

@metasean
Copy link

If I'm reading correctly, this functionality (but from a different PR) is actually included in @nuxtjs/auth v. 4.5.3

#318

The relevant code changes are here:
a515af2

But I'm still wrapping my head around all this, and the code between this PR and that one are distinct enough, that I'm not actually sure if this is fixing the same problem or not. 🤷‍♂️

@pi0 pi0 added the security label May 23, 2019
@pi0 pi0 changed the title nonce value generation for id_token response type feat: generate nounce for id_token response type May 23, 2019
@pi0 pi0 mentioned this pull request May 23, 2019
Closed
@pi0 pi0 added the fix label May 23, 2019
@pi0 pi0 merged commit b730203 into nuxt-community:dev May 23, 2019
@pi0
Copy link
Member

pi0 commented May 23, 2019

Thanks, @jefer590 for this PR and fix. Will be released soon by v4.6.0 (#356)

@pi0 pi0 mentioned this pull request May 23, 2019
Merged
@pi0
Copy link
Member

pi0 commented May 30, 2019

This PR has been published in v4.6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
fix security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@fernyettheplant @ianfortier @WizardOfCodez @akaNightmare @ysaakpr @metasean @pi0