Generate nonce in an Spring Security application using OpenID connect

triton oidc Source

i'm plugging a Spring security application to an IDP/OP (IDentity Provider, or Openid connect Identity Provider according to the OpenID connect terminology)

I'm using the authorization code flow. I used this implementation to start my code :

It's working with several IDP, until i found one that requires the nonce parameter. However i could not managed to configure my application to generate a nonce, and add it in the url (I know that's the nonce because when i add it manually : it works)

It's when the application redirect the user to the IDP (authorization endpoint) that i wish to have a nonce. And it would be perfect if the nonce could be verified on the return.

I searched the web for 2 hours, i found this may be the thing to use but didn't found any example, or clue on how to add it in my code

Here is the interesting part of the code where i think i have to tell Spring to use the nonce :

   public OAuth2RestTemplate getOpenIdConnectRestTemplate(@Qualifier("oauth2ClientContext")
                                                                         OAuth2ClientContext clientContext) {
        return new OAuth2RestTemplate(createOpenIdConnectCodeConfig(), clientContext);


    public OAuth2ProtectedResourceDetails createOpenIdConnectCodeConfig() {
        final AuthorizationCodeResourceDetails resourceDetails = new AuthorizationCodeResourceDetails();
        resourceDetails.setClientAuthenticationScheme(AuthenticationScheme.form); // include client credentials in POST Content

        final List<String> scopes = new ArrayList<>();
        scopes.add("openid"); // always need this

        return resourceDetails;

If there is a modification i believe it's there. If that's a duplicate i apologies, and i'll never shame myself again.

Any help would be appreciated, i can post more details if needed, i didn't want to confuse by posting too much

Thanks for reading me



comments powered by Disqus