Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

7
  • Thanks for linking this from my earlier question. However, why should I care that the attacker can authenticate with my client app running on his computer? Assuming the attacker has admin permissions, he can trivially inspect the nonce wherever I store it, or modify my code to skip the nonce check? In short, if this is the attack the nonce was supposed to prevent, it seems pretty useless since it barely raises attack effort? Commented Aug 5, 2019 at 7:26
  • 2
    I am struggling to understand how this helps with the implicit workflow. In that work flow the id_token is returned directly to the client, and the id_token will contain the raw nonce (just base64urlEncoded). At this point though, the nonce seems useless as the attacker has the signed id_token value and can just write this to localStorage/sessionStorage/cookie or wherever the application usually persists it. I cannot see how it improves security of the implicit workflow, but openid.net/specs/… says is it required Commented Jan 16, 2020 at 15:24
  • 1
    "The nonce helps to prevent the attacker from taking the authorization server's response, pasting it into their URL bar ..". As far as I understand that's what oAuth 2.0 state variable is for. The state var seems to make nonce as used in the scenario described redundant. Also, there is no mention of implicit flow being deprecated in the actual OIDC spec, although seems to be a lot of advice against using it these days. Commented Mar 7, 2023 at 4:11
  • 1
    @spinkus I finally sorted this out in my mind. The state variable only ensures that an Authentication Request and Authentication Response are correlated (i.e., prevents unsolicited Authentication Responses, and therefore CSRF attacks), but does not ensure integrity of the Response. Imagine this: attacker starts at the Relying Party (RP) and captures his own state from the Authentication Request. He then intercepts the Authentication Response of a victim. He crafts a new Response with his own state but with the victim's code, and the RP now sends a Token Request with that code. Commented Jul 28, 2023 at 23:58
  • 1
    That duplicate Token Request may also succeed at the Authorization Server (AS) assuming that the AS does not "verify that the Authorization Code has not been previously used", but the RP can now reject that duplicate Token Response because it has already seen the nonce before. Attacker is denied access. Commented Jul 29, 2023 at 0:00