Generate nonce in an Spring Security application using OpenID connect

triton oidc Source

i'm plugging a Spring security application to an IDP/OP (IDentity Provider, or Openid connect Identity Provider according to the OpenID connect terminology)

I'm using the authorization code flow. I used this implementation to start my code : https://github.com/gazbert/openid-connect-spring-client

It's working with several IDP, until i found one that requires the nonce parameter. However i could not managed to configure my application to generate a nonce, and add it in the url (I know that's the nonce because when i add it manually : it works)

It's when the application redirect the user to the IDP (authorization endpoint) that i wish to have a nonce. And it would be perfect if the nonce could be verified on the return.

I searched the web for 2 hours, i found this may be the thing to use org.springframework.security.oauth.provider.nonce but didn't found any example, or clue on how to add it in my code

Here is the interesting part of the code where i think i have to tell Spring to use the nonce :

   public OAuth2RestTemplate getOpenIdConnectRestTemplate(@Qualifier("oauth2ClientContext")
                                                                         OAuth2ClientContext clientContext) {
        return new OAuth2RestTemplate(createOpenIdConnectCodeConfig(), clientContext);

    }



    public OAuth2ProtectedResourceDetails createOpenIdConnectCodeConfig() {
        final AuthorizationCodeResourceDetails resourceDetails = new AuthorizationCodeResourceDetails();
        resourceDetails.setClientAuthenticationScheme(AuthenticationScheme.form); // include client credentials in POST Content
        resourceDetails.setClientId(clientId);
        resourceDetails.setClientSecret(clientSecret);
        resourceDetails.setUserAuthorizationUri(authorizationUri);
        resourceDetails.setAccessTokenUri(tokenUri);

        final List<String> scopes = new ArrayList<>();
        scopes.add("openid"); // always need this
        scopes.addAll(Arrays.asList(optionalScopes.split(",")));
        resourceDetails.setScope(scopes);

        resourceDetails.setPreEstablishedRedirectUri(redirectUri);
        resourceDetails.setUseCurrentUri(false);
        return resourceDetails;
    }

If there is a modification i believe it's there. If that's a duplicate i apologies, and i'll never shame myself again.

Any help would be appreciated, i can post more details if needed, i didn't want to confuse by posting too much

Thanks for reading me

spring-securityopenid-connect

Answers

comments powered by Disqus