Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

Refresh Token Does Not Return Nonce #2180

Closed
ghost opened this issue Mar 27, 2018 · 5 comments
Closed

Refresh Token Does Not Return Nonce #2180

ghost opened this issue Mar 27, 2018 · 5 comments
Labels
question

Comments

@ghost
Copy link

ghost commented Mar 27, 2018

Issue / Steps to reproduce the problem

Calling Refresh Token with a nonce in the request does not return a nonce.

OpenID Connect Core Section 2 states:

If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request.

Relevant parts of the log file

2018-03-27 16:29:45.182 -05:00 [INF] ValidatedAuthorizeRequest
{
  "ClientId": "native.code",
  "ClientName": "Native Code",
  "RedirectUri": "redacted-app://oauth-callback/",
  "AllowedRedirectUris": [
    "redacted-app://oauth-callback/"
  ],
  "SubjectId": "redacted",
  "ResponseType": "code",
  "ResponseMode": "query",
  "GrantType": "authorization_code",
  "RequestedScopes": "openid redacted offline_access",
  "State": "Sulxc0EcL85Hu_gbQiK7ATf7kG9jCQKiwfxf3Owd_cc",
  "Nonce": "okfVh2Fd2up_lmJPQ_YcsG6JXUDdn6LAUEIlsny9jEE",
  "Raw": {
    "nonce": "okfVh2Fd2up_lmJPQ_YcsG6JXUDdn6LAUEIlsny9jEE",
    "response_type": "code",
    "code_challenge_method": "S256",
    "scope": "openid redacted offline_access",
    "code_challenge": "onjmf4iyxfZyl182EOBDZQ7E3tRqrxSZYCUQpFMF3bo",
    "redirect_uri": "redacted://oauth-callback/",
    "client_id": "native.code",
    "state": "Sulxc0EcL85Hu_gbQiK7ATf7kG9jCQKiwfxf3Owd_cc"
  }
}
2018-03-27 16:29:49.734 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
2018-03-27 16:29:49.743 -05:00 [INF] Token request validation success
{
  "ClientId": "native.code",
  "ClientName": "Native Code",
  "GrantType": "refresh_token",
  "RefreshToken": "fbe9280ef6ac22a04b605688929d842c4db72fa241b0161bcc37d22d29f638e7",
  "Raw": {
    "refresh_token": "fbe9280ef6ac22a04b605688929d842c4db72fa241b0161bcc37d22d29f638e7",
    "scope": "openid redacted offline_access",
    "redirect_uri": "redacted://oauth-callback/",
    "client_id": "native.code",
    "grant_type": "refresh_token"
  }
}
@ghost ghost mentioned this issue Mar 28, 2018
Merged
15 tasks
@brockallen
Copy link
Member

Isn't that statement from the spec at the time the code is being exchanged for the access & refresh token? I don't think that's at the time a refresh token is being exchanged for a new access token.

@ghost
Copy link
Author

ghost commented Apr 2, 2018

@WilliamDenniss - Reading back through, this makes sense as to not pertaining to a refresh token request

@brockallen
Copy link
Member

So then can we close this issue?

@ghost ghost closed this as completed Apr 5, 2018
@WilliamDenniss
Copy link

Agreed. This is how Google has implemented it too.

When the point was raised earlier, I thought the error was on the authorization_code exchange, not refresh_token. Looking at the spec, it is a little ambiguous, but I think the intention is that it's only the code exchange (and that's how everyone has implemented it).

Thanks for the discussion!

@bes bes mentioned this issue Jul 30, 2019
Closed
@github-actions
Copy link

github-actions bot commented Jun 1, 2021

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 1, 2021
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WilliamDenniss @brockallen