libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type

Browse source 
Closes #10143
This commit is contained in:
Takashi Norimatsu 2022-03-03 15:32:08 +09:00 committed by Marek Posolda
parent 6801688dd4
commit 92f6c75328
3 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpointChecker.java
View file

@ -227,7 +227,7 @@ public class AuthorizationEndpointChecker {
return;
}
if (parsedResponseType.isImplicitOrHybridFlow() && request.getNonce() == null) {
if (parsedResponseType.hasResponseType(OIDCResponseType.ID_TOKEN) && request.getNonce() == null) {
ServicesLogger.LOGGER.missingParameter(OIDCLoginProtocol.NONCE_PARAM);
event.error(Errors.INVALID_REQUEST);
throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, OAuthErrorException.INVALID_REQUEST, "Missing parameter: nonce");

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java
View file

@ -131,6 +131,9 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc
events.expectLogin().error(Errors.INVALID_REQUEST).user((String) null).session((String) null).clearDetails().assertEvent();
}
protected void validateNonceNotUsedSuccessExpected() {
loginUser(null);
}
protected void validateNonceNotUsedErrorExpected() {
oauth.nonce(null);

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/OIDCHybridResponseTypeCodeTokenTest.java
View file

@ -76,7 +76,7 @@ public class OIDCHybridResponseTypeCodeTokenTest extends AbstractOIDCResponseTyp
@Test
public void nonceNotUsedErrorExpected() {
super.validateNonceNotUsedErrorExpected();
super.validateNonceNotUsedSuccessExpected();
}
@Test