From 664076ee2d7cca5b391f135c710cbeb288ff32ac Mon Sep 17 00:00:00 2001 From: Markus Strehle <11627201+strehle@users.noreply.github.com> Date: Mon, 13 Jan 2025 18:31:23 +0100 Subject: [PATCH] OIDC nonce parameter support (#77) * OIDC nonce parameter support * Update README.md --- README.md | 1 + openid-client/openid-client.go | 6 ++++++ pkg/client/client.go | 3 +++ 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index f268563..99e66e8 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,7 @@ Flags: -client_assertion External client token to perform client authentication. Use this parameter instead of client_jwt or client_jwt_key parameters. -assertion Input token for token exchanges, e.g. jwt-bearer and token-exchange. -scope OIDC scope parameter. This is an optional flag, default is openid. If you set none, the parameter scope will be omitted in request. + -nonce OIDC nonce parameter. This is an optional flag. If you do not set it, the parameter will be omitted in request. -refresh Bool flag. Default false. If true, call refresh flow for the received id_token. -idp_token Bool flag. Default false. If true, call the OIDC IdP token exchange endpoint (IAS specific only) and return the response. -idp_scope OIDC scope parameter. Default no scope is set. If you set the parameter idp_scope, it is set in IdP token exchange endpoint (IAS specific only). diff --git a/openid-client/openid-client.go b/openid-client/openid-client.go index 6a1fe40..9fa8136 100644 --- a/openid-client/openid-client.go +++ b/openid-client/openid-client.go @@ -57,6 +57,7 @@ func main() { " -client_assertion External client token to perform client authentication. Use this parameter instead of client_jwt or client_jwt_key parameters.\n" + " -assertion Input token for token exchanges, e.g. jwt-bearer and token-exchange.\n" + " -scope OIDC scope parameter. This is an optional flag, default is openid. If you set none, the parameter scope will be omitted in request.\n" + + " -nonce OIDC nonce parameter. This is an optional flag. If you do not set it, the parameter will be omitted in request.\n" + " -refresh Bool flag. Default false. If true, call refresh flow for the received id_token.\n" + " -idp_token Bool flag. Default false. If true, call the OIDC IdP token exchange endpoint (IAS specific only) and return the response.\n" + " -idp_scope OIDC scope parameter. Default no scope is set. If you set the parameter idp_scope, it is set in IdP token exchange endpoint (IAS specific only).\n" + @@ -86,6 +87,7 @@ func main() { var doRefresh = flag.Bool("refresh", false, "Refresh the received id_token") var isVerbose = flag.Bool("v", false, "Show more details about calls") var scopeParameter = flag.String("scope", "", "OIDC scope parameter") + var nonceParameter = flag.String("nonce", "", "OIDC nonce parameter") var doCorpIdpTokenExchange = flag.Bool("idp_token", false, "Return OIDC IdP token response") var refreshExpiry = flag.String("refresh_expiry", "", "Value in seconds to reduce Refresh Token Lifetime") var tokenFormatParameter = flag.String("token_format", "opaque", "Format for access_token") @@ -407,6 +409,10 @@ func main() { } else if *command == "jwks" { } } else { + // nonceParameter, only in authorize + if *nonceParameter != "" { + requestMap.Set("nonce", *nonceParameter) + } var idToken, refreshToken = client.HandleOpenIDFlow(requestMap, verbose, callbackURL, *scopeParameter, *tokenFormatParameter, *portParameter, claims.EndSessionEndpoint, privateKeyJwt, *provider, *tlsClient) if *doRefresh { if refreshToken == "" { diff --git a/pkg/client/client.go b/pkg/client/client.go index 8b7bcdf..95d7194 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -113,6 +113,9 @@ func HandleOpenIDFlow(request url.Values, verbose bool, callbackURL string, scop if request.Has("login_hint") { query.Set("login_hint", request.Get("login_hint")) } + if request.Has("nonce") { + query.Set("nonce", request.Get("nonce")) + } authzURL.RawQuery = query.Encode() //cmd := exec.Command("open", authzURL.String())