Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Nonce Mismatch During Refresh Token Flow with Keycloak (OIDC) #2876

Open
fengccp opened this issue Dec 8, 2024 · 3 comments
Open

[Bug]: Nonce Mismatch During Refresh Token Flow with Keycloak (OIDC) #2876

fengccp opened this issue Dec 8, 2024 · 3 comments
Labels
bug help wanted

Comments

@fengccp
Copy link

fengccp commented Dec 8, 2024

OAuth2-Proxy Version

v7.7.1

Provider

keycloak-oidc

Expected Behaviour

When using the refresh token flow, OAuth2-Proxy should be able to refresh the access token without encountering a nonce mismatch.

https://www.keycloak.org/docs/latest/upgrading/#nonce-claim-is-only-added-to-the-id-token

Current Behaviour

Keycloak does not include a nonce in the ID token when refreshing tokens. Because of this, OAuth2-Proxy throws an error for nonce mismatch when insecureSkipNonce is set to false

Steps To Reproduce

  1. Set up OAuth2-Proxy with Keycloak as the identity provider.
  2. Configure the proxy with insecureSkipNonce: false.
  3. Attempt to refresh the token using the refresh token flow.
  4. Observe the nonce mismatch error.

Possible Solutions

No response

Configuration details or additional information

For now, I've added a mapper in Keycloak called Nonce backwards compatible. This temporarily adds a nonce to the ID token after refreshing, which allows OAuth2-Proxy to refresh tokens successfully.
@m4123
Copy link

m4123 commented Dec 11, 2024

This bug is not specific to Keycloak but it is a general issue. According to the OIDC specification, the ID token in a refresh response SHOULD NOT contain a nonce, see https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse.
We observe the same problem with Forgerock as the IdP.

@JoelSpeed
Copy link
Member

So the issue specifically here is that we are using the same nonce checking on the initial token, and refreshed tokens, and I'm guessing some providers do provide a nonce, and some do not?

If you set insecureSkipNonce this fixes the issue, but also means that the nonce is not being checked for the initial ID token either?

I guess we probably want to skip the check on refresh tokens, per the spec link you added.

Anyone able to look at wrangling up a PR?

@m4123
Copy link

m4123 commented Jan 1, 2025

Yes, if we set insecureSkipNonce = true, the issue is not present. But then the nonce check is also disabled for the initial ID token.
Based on https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse, I expect the following behavior:

  1. insecureSkipNonce = true: Do not validate the nonce, neither in the initial ID token, nor in refreshed ones.
  2. insecureSkipNonce = false: Validate the nonce in the initial ID token. Validate the nonce in a refreshed ID token only if the nonce claim is present in the refreshed ID token (if present, the nonce of refreshed ID tokens MUST be the same as the one in the initial ID token).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JoelSpeed @fengccp @m4123