Spring-security: Consider adding nonce to OIDC Authentication Request

Related #4440 - Validate nonce as part of ID Token Validation

The nonce generated by the client during the Authentication Request needs to be stored temporarily so that it can be validated during ID Token Validation. Given these storage requirements, moving this issue to 5.1

Given the 15.5.2. Nonce Implementation Notes, here is a proposed implementation:

Generate nonce for Authentication Request

• Concatenate the attributes contained in OAuth2AuthorizationRequest along with the HttpSession.id and hash this to produce the nonce.

Validate nonce during ID Token Validation

• Use the same strategy as per above to generate the nonce value by hashing the concatenation of the attributes contained in OAuth2AuthorizationRequest along with the HttpSession.id. Compare this generated nonce with the nonce in the ID Token for verification.

Given this implementation, we may not need a separate storage facility for the nonce value as it can be deduced from the HttpSession.id and OAuth2AuthorizationRequest which is stored in the AuthorizationRequestRepository.

Will this feature make up for next month release ? Thanks Bhupinder

It is planned for the 5.1 release. I'm working on other priorities at the moment but we will get to this.

@jgrandja Was this implemented?

@forgo No not yet. Other items have taken priority so far.

Hey @jgrandja, I'll take this one on.

Is there a switch to turn off the nonce?

@hejianchao No there isn't a setting/property available to turn it off. Are you having issues with it? Why do you want it disabled?