Describe the bug
I am testing the Vault 1.9.0 OIDC provider tech-preview.
Using the dex example-app as a client, I get the following response:
invalid_request: nonce parameter is required
However, according to the OpenID Core Connect specification section 3.1.2.1, the nonce is "OPTIONAL" in the Authorization Code Flow.
(It is required in the Implicit Flow and Hybrid Flow, but that's not what Vault implements)
To Reproduce
-
Set up Vault OIDC provider as here
-
Install dex example-app
-
Run the example app pointing at Vault
bin/example-app --client-id XXXXXXXX --client-secret hvo_secret_YYYYYYYY --debug \
--issuer https://vault.example.com:8200/v1/identity/oidc/provider/my-provider --listen http://0.0.0.0:5555 \
--redirect-uri http://127.0.0.1:5555/callback
-
Login to example app via web
Expected behavior
Vault should accept Authorization flow without nonce, as compliant applications are not required to provide one.
Environment:
- Vault Server Version (retrieve with
vault status): 1.9.0
- Vault CLI Version (retrieve with
vault version): Vault v1.9.0
- Server Operating System/Architecture:
Ubuntu 20.04 amd64
Vault server configuration file(s): N/A
Additional context
The spec also says:
If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
Note use of "If present".
Describe the bug
I am testing the Vault 1.9.0 OIDC provider tech-preview.
Using the dex example-app as a client, I get the following response:
However, according to the OpenID Core Connect specification section 3.1.2.1, the nonce is "OPTIONAL" in the Authorization Code Flow.
(It is required in the Implicit Flow and Hybrid Flow, but that's not what Vault implements)
To Reproduce
Set up Vault OIDC provider as here
Install dex example-app
Run the example app pointing at Vault
Login to example app via web
Expected behavior
Vault should accept Authorization flow without nonce, as compliant applications are not required to provide one.
Environment:
vault status):1.9.0vault version):Vault v1.9.0Ubuntu 20.04 amd64Vault server configuration file(s): N/A
Additional context
The spec also says:
Note use of "If present".