-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarification Needed on Nonce Validation Logic #190
Comments
These seem to be valid concerns, @1thrasher. Thank you for raising the issue! We will plan the work on a fix. |
Hello I'm not a php developer, so please take this suggestion as just a guide of what I think can be changed. (That is why this is not a PR and just a comment) I suggest to change the validatePayloadNonce to something like this (please refine it)
NOTE: Not sure is this Where the concerns that @1thrasher are solved and at the same time, there is a new check that controls that the state and the nonce belong to the same original oidc request. This would imply to change line 94 in the same file to:
In addition to this, the nonce should be deleted once it is used once, and don't rely only on the expiration date. If not, someone could use it more than one time. As said, I'm not a PHP person, but around line 105, before the return, something like this is needed (again, just a suggestion)
I'm not sure if the nonce in the repository is used later (for example in the deep link) but if it is we should only delete it here if it is not a deep link request and then delete it when the deep link request finishes using it. I hope this helps. |
I'm confused with the nonce validation logic in the validatePayloadNonce method within ToolLaunchValidator.php.
A nonce should be validated to ensure it exists, has not been used, and has not expired. The expected behavior is to invalidate (expire or remove) the nonce after a successful validation to ensure it cannot be reused.
However, the implementation appears to deviate from this expected behavior in the following manner:
Perhaps I'm misunderstanding the nonce's purpose, but treating its expiration or absence in the repository as a valid seems to be the opposite of what we want. (See the first 4-minutes of the video here.)
Can you help clarify my confusion here?
Thank you for looking into this.
The text was updated successfully, but these errors were encountered: