Implement nonce in OIDC

Created on 13 November 2020, almost 5 years ago

Updated 22 July 2025, 25 days ago

I am testing this module with jumbojett/OpenID-Connect-PHP client library. It sends a nonce value in the authentication request and expects it to be found in the ID token. If nonce is not found, the authentication fails. simple_oauth as of now doesn't appear to return the nonce claim.

From OpenID Connect Basic Client Implementer's Guide 1.0 - draft 40:

If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request.

🐛 Bug report

Status

Needs work

Version

6.0

Component

OpenID Connect

Created by

🇱🇰Sri Lanka kamalw

Live updates comments and jobs are added and updated live.

Spec Compliance

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 25 days ago →
🇪🇸Spain rodrigoaguilera Barcelona
I updated the patch for 6.0.x

As said before, there must be a better way to store the nonce

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024