providers/oauth2: nonce is only required for implicit flows, don't check or fallback for other flows

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-07-21 00:21:08 +02:00 · 2021-07-21 00:21:08 +02:00 · 2352a7f4d6
parent d89266a9d2
commit 2352a7f4d6
1 changed files with 4 additions and 0 deletions
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -192,6 +192,10 @@ class OAuthAuthorizationParams:

    def check_nonce(self):
        """Nonce parameter validation."""
+        # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation
+        # Nonce is only required for Implicit flows
+        if self.grant_type != GrantTypes.IMPLICIT:
+            return
        if not self.nonce:
            self.nonce = self.state
            LOGGER.warning("Using state as nonce for OpenID Request")