Guanping Zhang created CXF-9225:
-----------------------------------

             Summary: OIDC RP does not enforce nonce validation for 
Implicit/Hybrid flows
                 Key: CXF-9225
                 URL: https://issues.apache.org/jira/browse/CXF-9225
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS, JAX-RS Security
    Affects Versions: 4.2.2
            Reporter: Guanping Zhang


In the CXF OIDC Relying Party (RP) implementation 
({{{}OidcClientCodeRequestFilter{}}}), the {{nonce}} claim in the ID Token is 
validated _if_ it is present. However, the pipeline does not enforce the 
presence of a {{nonce}} for Implicit and Hybrid flows.
 
Per OpenID Connect Core 1.0 §3.1.2.1 and §3.2.2.5, the {{nonce}} parameter is 
REQUIRED for the Implicit Flow and Hybrid Flow to mitigate replay attacks. If 
an integrator omits the {{nonce}} in the initial request, the RP silently 
accepts the ID Token without replay protection, degrading the security of the 
flow without warning the developer.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to