Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12078

OAuth 2 device flow loses OIDC nonce


    • Sprint:
      2017.15 "Lowry" Turing
    • Needs backport:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      OpenID Connect recommends including a nonce parameter in the authentication request, which will then be included in the id_token in the response. This is to prevent replay attacks and ensure that the id_token is actually to a request that the client requested. If the device flow grant type is used, then this nonce does not get included in the id_token in violation of the OIDC spec: "If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request" (Section 2, ID Tokens).

      This shouldn't be a security issue, as the device flow requests are made directly between the client and the AS over a trusted channel and the device code itself will prevent replay, but it is a spec violation. Also, if a client was using the nonce to bind the issued id_token to a local session then this would fail in this case.

      How to reproduce the issue

      1. Setup OpenAM for OIDC and register a client
      2. Begin an OAuth 2.0 device flow:
        curl -X POST -d 'client_id=test&scope=openid&response_type=code&nonce=foobar' https://openam.example.com:8443/openam/oauth2/realms/root/realms/edge/device/code
      1. Navigate to the verification_uri and enter the user_code, then login and approve the request.
      2. Retrieve the approved tokens:
        curl -X POST -d "client_id=test&client_secret=letmein&grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=$DEVICE_CODE" https://openam.example.com:8443/openam/oauth2/access_token
      1. Decode the id_token and check the nonce value
      Expected behaviour
      Issued id_token contains the nonce value from the request
      Current behaviour
      Issued id_token does not contain the nonce

      Work around


      Code analysis

      Simple fix - set the nonce from the deviceCode when creating the access token. This will the propagate to the id_token.

      org.forgerock.oauth2.core.DeviceCodeGrantTypeHandler#handle (line 111)
      AccessToken accessToken = accessTokenGenerator.generateAccessToken(providerSettings, grant, grantType,
      null, grant.scope, validatedClaims, /* ADD THIS: */ deviceCode.getNonce(), request, deviceCode.getAuthTimeSeconds(),




            • Assignee:
              rebecca.hayling Rebecca Hayling [X] (Inactive)
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: