fix: only include nonce claim in id_token when provided in auth request #56
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When no nonce is sent in the authorization request (nonce is nil or empty string), the id_token should not include the nonce claim. Including an empty nonce causes validation failures with some OIDC relying parties. Per OIDC Core spec section 2, the nonce claim is optional and should only be present if a nonce was sent in the authentication request. This fixes issues with AWS ALB OIDC authentication, which does not send a nonce parameter but validates the id_token and fails when an empty nonce claim is present. Changes: - Modified maybe_put_nonce helper to skip nonce claim when nil or empty - Added tests for nonce handling (nil, empty string, and valid nonce)
patatoid
approved these changes
Dec 16, 2025
Collaborator
patatoid
left a comment
patatoid
left a comment
There was a problem hiding this comment.
Thank you for the contribution, the tests are greatly welcomed
Collaborator
|
The pipeline fails due to issues with the did service. I am on the way to fix, besides that everything look good. I still merge on master, this not being related to the changes. Notice that there may be issues with the universal keys. Keeping you posted here. |
Contributor
Author
|
Thanks for the clarification! Good to know the DID service issue is on your radar. It appears the DID_SERVICES_API_KEY secret referenced in the CI workflow is not configured or has expired. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When no nonce is sent in the authorization request (nonce is nil or empty string), the id_token should not include the nonce claim. Including an empty nonce causes validation failures with some OIDC relying parties.
Per OIDC Core spec section 2, the nonce claim is optional and should only be present if a nonce was sent in the authentication request.
This fixes issues with AWS ALB OIDC authentication, which does not send a nonce parameter but validates the id_token and fails when an empty nonce claim is present.
Changes:
fix for issue: #55