Allow to pass a nonce through the client

fsinfuhh · Sep 30, 2024 · da89506 · da89506
1 parent fa23352
commit da89506
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/src/simple_openid_connect/flows/authorization_code_flow/__init__.py b/src/simple_openid_connect/flows/authorization_code_flow/__init__.py
@@ -32,6 +32,7 @@ def start_authentication(
     client_id: str,
     redirect_uri: str,
     state: Optional[str] = None,
+    nonce: Optional[str] = None,
     prompt: Optional[Union[list[str], str]] = None,
     code_challenge: Optional[str] = None,
     code_challenge_method: Optional[str] = None,
@@ -41,6 +42,7 @@ def start_authentication(
     returning a which the end user now needs to visit.
 
     :param state: The state intended to prevent Cross-Site Request Forgery.
+    :param nonce: String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
     :param prompt: Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
         The defined values are: "none", "login", "consent" and "select_account", multiple may be given as a list.
 
@@ -52,6 +54,7 @@ def start_authentication(
         redirect_uri=redirect_uri,
         response_type="code",
         state=state,
+        nonce=nonce,
         prompt=prompt.split(" ") if isinstance(prompt, str) else prompt,
         code_challenge=code_challenge,
         code_challenge_method=code_challenge_method,

diff --git a/src/simple_openid_connect/flows/authorization_code_flow/client.py b/src/simple_openid_connect/flows/authorization_code_flow/client.py
@@ -30,6 +30,7 @@ def __init__(self, base_client: "OpenidClient"):
     def start_authentication(
         self,
         state: Optional[str] = None,
+        nonce: Optional[str] = None,
         prompt: Optional[Union[list[str], str]] = None,
         code_challenge: Optional[str] = None,
         code_challenge_method: Optional[str] = None,
@@ -39,6 +40,7 @@ def start_authentication(
         returning a which the end user now needs to visit.
 
         :param state: The state intended to prevent Cross-Site Request Forgery.
+        :param nonce: String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
         :param prompt: Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
             The defined values are: "none", "login", "consent" and "select_account", multiple may be given as a list.
         :param code_challenge: The code challenge intended for use with Proof Key for Code Exchange (PKCE) [RFC7636].
@@ -61,6 +63,7 @@ def start_authentication(
             self._base_client.client_auth.client_id,
             redirect_uri.tostr(),
             state=state,
+            nonce=nonce,
             prompt=prompt,
             code_challenge=code_challenge,
             code_challenge_method=code_challenge_method,