OIDC nonce parameter support (#77)

* OIDC nonce parameter support * Update README.md
strehle · Jan 13, 2025 · 664076e · 664076e
1 parent e98f5cd
commit 664076e
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ Flags:
       -client_assertion External client token to perform client authentication. Use this parameter instead of client_jwt or client_jwt_key parameters.
       -assertion        Input token for token exchanges, e.g. jwt-bearer and token-exchange.
       -scope            OIDC scope parameter. This is an optional flag, default is openid. If you set none, the parameter scope will be omitted in request.
+      -nonce            OIDC nonce parameter. This is an optional flag. If you do not set it, the parameter will be omitted in request.
       -refresh          Bool flag. Default false. If true, call refresh flow for the received id_token.
       -idp_token        Bool flag. Default false. If true, call the OIDC IdP token exchange endpoint (IAS specific only) and return the response.
       -idp_scope        OIDC scope parameter. Default no scope is set. If you set the parameter idp_scope, it is set in IdP token exchange endpoint (IAS specific only).

diff --git a/openid-client/openid-client.go b/openid-client/openid-client.go
@@ -57,6 +57,7 @@ func main() {
 			"      -client_assertion External client token to perform client authentication. Use this parameter instead of client_jwt or client_jwt_key parameters.\n" +
 			"      -assertion        Input token for token exchanges, e.g. jwt-bearer and token-exchange.\n" +
 			"      -scope            OIDC scope parameter. This is an optional flag, default is openid. If you set none, the parameter scope will be omitted in request.\n" +
+			"      -nonce            OIDC nonce parameter. This is an optional flag. If you do not set it, the parameter will be omitted in request.\n" +
 			"      -refresh          Bool flag. Default false. If true, call refresh flow for the received id_token.\n" +
 			"      -idp_token        Bool flag. Default false. If true, call the OIDC IdP token exchange endpoint (IAS specific only) and return the response.\n" +
 			"      -idp_scope        OIDC scope parameter. Default no scope is set. If you set the parameter idp_scope, it is set in IdP token exchange endpoint (IAS specific only).\n" +
@@ -86,6 +87,7 @@ func main() {
 	var doRefresh = flag.Bool("refresh", false, "Refresh the received id_token")
 	var isVerbose = flag.Bool("v", false, "Show more details about calls")
 	var scopeParameter = flag.String("scope", "", "OIDC scope parameter")
+	var nonceParameter = flag.String("nonce", "", "OIDC nonce parameter")
 	var doCorpIdpTokenExchange = flag.Bool("idp_token", false, "Return OIDC IdP token response")
 	var refreshExpiry = flag.String("refresh_expiry", "", "Value in seconds to reduce Refresh Token Lifetime")
 	var tokenFormatParameter = flag.String("token_format", "opaque", "Format for access_token")
@@ -407,6 +409,10 @@ func main() {
 		} else if *command == "jwks" {
 		}
 	} else {
+		// nonceParameter, only in authorize
+		if *nonceParameter != "" {
+			requestMap.Set("nonce", *nonceParameter)
+		}
 		var idToken, refreshToken = client.HandleOpenIDFlow(requestMap, verbose, callbackURL, *scopeParameter, *tokenFormatParameter, *portParameter, claims.EndSessionEndpoint, privateKeyJwt, *provider, *tlsClient)
 		if *doRefresh {
 			if refreshToken == "" {

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -113,6 +113,9 @@ func HandleOpenIDFlow(request url.Values, verbose bool, callbackURL string, scop
 	if request.Has("login_hint") {
 		query.Set("login_hint", request.Get("login_hint"))
 	}
+	if request.Has("nonce") {
+		query.Set("nonce", request.Get("nonce"))
+	}
 	authzURL.RawQuery = query.Encode()
 
 	//cmd := exec.Command("open", authzURL.String())