providers/oauth2: nonce is only required for implicit flows, don't check or fallback for other flows

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-07-21 00:21:08 +02:00
parent d89266a9d2
commit 2352a7f4d6

View file

@ -192,6 +192,10 @@ class OAuthAuthorizationParams:
def check_nonce(self):
"""Nonce parameter validation."""
# https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation
# Nonce is only required for Implicit flows
if self.grant_type != GrantTypes.IMPLICIT:
return
if not self.nonce:
self.nonce = self.state
LOGGER.warning("Using state as nonce for OpenID Request")