diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index c002335311..ded0fbb640 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -55,6 +55,7 @@ public class OIDCLoginProtocol implements LoginProtocol { public static final String GRANT_TYPE_PARAM = "grant_type"; public static final String REDIRECT_URI_PARAM = "redirect_uri"; public static final String CLIENT_ID_PARAM = "client_id"; + public static final String NONCE_PARAM = "nonce"; public static final String PROMPT_PARAM = "prompt"; public static final String LOGIN_HINT_PARAM = "login_hint"; public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI"; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 99528c8316..995175e980 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -324,6 +324,7 @@ public class TokenManager { token.issuedNow(); token.issuedFor(client.getClientId()); token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER)); + token.setNonce(clientSession.getNote(OIDCLoginProtocol.NONCE_PARAM)); if (session != null) { token.setSessionState(session.getId()); } @@ -434,6 +435,7 @@ public class TokenManager { idToken.issuedNow(); idToken.issuedFor(accessToken.getIssuedFor()); idToken.issuer(accessToken.getIssuer()); + idToken.setNonce(accessToken.getNonce()); idToken.setSessionState(accessToken.getSessionState()); if (realm.getAccessTokenLifespan() > 0) { idToken.expiration(Time.currentTime() + realm.getAccessTokenLifespan()); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java index c2a42eb89a..603f3dd65f 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java @@ -79,6 +79,7 @@ public class AuthorizationEndpoint { private String scope; private String loginHint; private String prompt; + private String nonce; private String idpHint; private String legacyResponseType; @@ -102,6 +103,7 @@ public class AuthorizationEndpoint { loginHint = params.getFirst(OIDCLoginProtocol.LOGIN_HINT_PARAM); prompt = params.getFirst(OIDCLoginProtocol.PROMPT_PARAM); idpHint = params.getFirst(AdapterConstants.KC_IDP_HINT); + nonce = params.getFirst(OIDCLoginProtocol.NONCE_PARAM); checkSsl(); checkRealm(); @@ -225,6 +227,7 @@ public class AuthorizationEndpoint { clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); + if (nonce != null) clientSession.setNote(OIDCLoginProtocol.NONCE_PARAM, nonce); if (scope != null) clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); if (loginHint != null) clientSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, loginHint); if (prompt != null) clientSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, prompt);