Skip to content

feat: make nonce handling configurable#111

Open
bvogel wants to merge 3 commits into
nhosoya:masterfrom
bvogel:fix/apple-session-handling
Open

feat: make nonce handling configurable#111
bvogel wants to merge 3 commits into
nhosoya:masterfrom
bvogel:fix/apple-session-handling

Conversation

@bvogel

@bvogel bvogel commented Dec 21, 2023

Copy link
Copy Markdown

This PR will introduce a individual handling of the nonce validation that is significantly hindered by Apple with using a POST callback.

Added specs, README too.

fixes #102 and
fixes #103

Just reopening #107 with an additional fix.

See all discussion over there.

@bvogel bvogel changed the title Fix: apple session handling feat: make nonce handling configurable Dec 21, 2023
Comment thread README.md Outdated
@btalbot

btalbot commented Dec 21, 2023

Copy link
Copy Markdown
Contributor

OmniAuth and its plugins are Rack middleware and do not require Rails. I see that there are some rails specific extensions being used in this PR which will break when Rails is not available.

@bvogel

bvogel commented Dec 24, 2023

Copy link
Copy Markdown
Author

@btalbot Thanks for pointing that out. I'll look into ways to interact with cookies without the rails intermediate layer. But as the rails dependency is only required in testing would it be fine to keep it as dev dependency only?

@btalbot

btalbot commented Dec 26, 2023

Copy link
Copy Markdown
Contributor

Seems like the best way to ensure that rails extensions are not present is to not include them in any dependency; otherwise, how can you be sure?

@erkie

erkie commented Jan 9, 2024

Copy link
Copy Markdown

@bvogel thanks for your work on this. spent 2 hours trying to debug this issue and finally found this. I hope this gets merged 🙏

@yshmarov

yshmarov commented Jun 29, 2024

Copy link
Copy Markdown

works for me!

currently I see no way to effectively use the gem without this addition

verify_iat!(id_token)
verify_exp!(id_token)
verify_nonce!(id_token) if id_token[:nonce_supported]
verify_nonce!(id_token) if id_token[:nonce_supported] && options[:nonce] != :ignore

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, have you considered applying the suggestion made by @btalbot in #102 and just avoid verifying a blank nonce ?

Suggested change
verify_nonce!(id_token) if id_token[:nonce_supported] && options[:nonce] != :ignore
verify_nonce!(id_token) if id_token[:nonce_supported] && id_token[:nonce].present?

If so then may I ask why you decided not to use this solution ? It seems to work for me and requires a lot less changes in the code.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this would pass even if nonce is required but nor returned, which I would consider a security risk.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad, what I meant was to update verify_nonce like this

      def verify_nonce!(id_token)
        invalid_claim! :nonce unless id_token[:nonce] == stored_nonce
      end

From my understanding stored_nonce will always be defined when the nonce is required and will not be defined when it's not so only checking that the token's nonce equals the stored_nonce would result in either checking whether "nonce is optional" or "nonce is required and it matches", wouldn't it ?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bvogel do you think that solution could work in the end ?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, as the stored_nonce is taken from the session that isn't present anymore if any SameSite strategy other then :none is used, the reason why I introduces the change in the first place

@ThisIsMissEm

Copy link
Copy Markdown

If you switch this driver from using response_mode of form_post to query then you should see things work fine. The only caveat: it's technically then possible for something to steal the authorization code – this is also a problem in form_post – and the solution for that is PKCE, but Apple doesn't advertise support for it in their OpenID Configuration (I'd be surprised if they didn't implement it though)

Take a look at RFC9700, it has current security best practices in it.

@bvogel

bvogel commented May 23, 2025

Copy link
Copy Markdown
Author

If you switch this driver from using response_mode of form_post to query then you should see things work fine.

I may be a bit slow, but all the code available to an omniauth extension as this is basically what's in the lib/omniauth/strategies/apple.rb class. In there I can't seem to change the response_mode, please guide me to the right approach and I will happily change this PR.

@ThisIsMissEm

Copy link
Copy Markdown

It should just be a matter of changing this line: https://github.com/nhosoya/omniauth-apple/blob/master/lib/omniauth/strategies/apple.rb#L19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Getting error as id_token_claims_invalid | nonce invalid nonce is optional in callback

6 participants