Guanping Zhang created CXF-9225:
-----------------------------------
Summary: OIDC RP does not enforce nonce validation for
Implicit/Hybrid flows
Key: CXF-9225
URL: https://issues.apache.org/jira/browse/CXF-9225
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Affects Versions: 4.2.2
Reporter: Guanping Zhang
In the CXF OIDC Relying Party (RP) implementation
({{{}OidcClientCodeRequestFilter{}}}), the {{nonce}} claim in the ID Token is
validated _if_ it is present. However, the pipeline does not enforce the
presence of a {{nonce}} for Implicit and Hybrid flows.
Per OpenID Connect Core 1.0 §3.1.2.1 and §3.2.2.5, the {{nonce}} parameter is
REQUIRED for the Implicit Flow and Hybrid Flow to mitigate replay attacks. If
an integrator omits the {{nonce}} in the initial request, the RP silently
accepts the ID Token without replay protection, degrading the security of the
flow without warning the developer.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)