Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-135149

Liferay as OpenId Connect client server should not validate nonce in a refresh_token exchange response

    Details

      Description

      During testing OIDC refresh_token mechanism, I noticed that validation of refresh_token exchange response will fail because of missing nonce from response.

      After reading the specification:
      https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
      It seems validating nonce in refresh_token exchange process is not needed.

      And if you think about it, refresh_token exchange is only between server and server, a back-channel process. A nonce does not help with anything in such process.

      Here in IdentityServer discussion, it is explicitly discussed that OIDC provider server should not return a nonce in refresh_token exchange, and William Denniss took a step to request a change in OIDC specs to explicitly mention nonce should not be validated in refresh_token exchange response.
      https://github.com/IdentityServer/IdentityServer4/issues/2180

      Steps to reproduce:
      1. Setup OIDC using Google provider. (Liferay does not support google OIDC with refresh_token, as google OIDC needs a non-spec parameter to request offline access, and Liferay does not support adding custom parameters to OIDC authorization request, so one needs to modify Liferay code to make liferay support google with refresh_token)
      2. Go through OIDC process, once access_token expires, one use see a faliure message in console log saying: Unable to validate tokens: Missing JWT nonce (nonce) claim

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ferenc.onodi Ferenc Onodi
              Reporter:
              arthur.chen Arthur Chen
              Participants of an Issue:
              Recent user:
              Clarissa Velazquez
              Engineering Assignee:
              Arthur Chen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                18 weeks, 3 days ago

                  Packages

                  Version Package
                  7.2.10 DXP FP16
                  7.2.X
                  7.3.X
                  7.4.2 CE GA3 DXP 7,4
                  7.4.13 DXP GA1
                  Master