Note:Nonces can encrypted and send. There can be multiple ways to use nonces according to the protocol. Sign up to join this community.
The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Asked 5 years, 9 months ago. Active 5 years, 8 months ago. Viewed 27k times. The OpenID Connect specification requires implicit flow clients to generate and validate a nonce: String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
What replay attacks are those? Improve this question. See my response here: security. Add a comment. Active Oldest Votes. My current understanding is as follows: The client a web application running in the user's browser generates a nonce, puts it into the browser's session storage, and redirects to the authentication server, passing the nonce as parameter.
Improve this answer. Care to explain? Did you mean to write an answer rather than comment on mine? The nonce effectively acts as a password for the client application. This figure shows a code injection attack note again that the client and authorization server are the same in both sessions :. Note: When a client uses dynamic client registration, for example on a mobile device of a user, an attacker might be unable to conduct a code injection attack even without further protection mechanisms, as he does not have access to the client that was used to create the code.
For flows with Nonce, the attacker might already know the nonce parameter that is bound to the code: If an unencrypted ID token was issued in the front channel, it is likely that it leaked to the attacker in the same way as the code. As far as I can see, however, this does not help the attacker. He would still need to get the confidential! In a sane client implementation, there is no way for the attacker to achieve this. PKCE and Nonce seem to be safe choices in defending against code injection attacks for confidential clients.
Also, a combination of the two is safe i. For public clients, PKCE must be used. A circumvention of both mechanisms, however, is possible if an AS allows a client to choose between PKCE and Nonce and the client makes use of this freedom.
Assume that the client uses PKCE for some flows e. Now, an attacker who has stolen an authorization code that was bound to a Nonce could inject this code into a pure-OAuth authorization flow that uses PKCE.
The client will ignore the ID token since it was not expected but use the access token. The root cause for the attack is that the client and the server allow for a dynamic switch between PKCE and Nonce flows. Authorization servers must enforce PKCE unless they know that the client uses Nonce for all of its flows and checks the Nonce value. The presence of a nonce parameter in the authorization request is not sufficient to determine if a client actually checks the nonce claim in the ID token.
This is intended to prevent misuse of the stolen code even is an attacker can read the authorization request. In this expanded attacker model i. This can be considered a special case of code injection. On the one hand, it is hard or impossible to protect any redirect-based protocols against these attacks.
On the other hand, to perform the attack in practice, the attacker needs good timing and ideally some side-channel information about the user e. Was this helpful? Persist nonces across requests.
Validate ID token. Learn more. Yes No.
0コメント