fix: IDToken nonce should not be checked (PS-385)

Author: splaunov

selfservice/strategy/oidc/strategy.go

@@ -726,7 +726,7 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context, _ session.
 	}
 }
 
-func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) {
+func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provider Provider, idToken string) (*Claims, error) {
 	verifier, ok := provider.(IDTokenVerifier)
 	if !ok {
 		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider))
@@ -750,14 +750,7 @@ func (s *Strategy) processIDToken(w http.ResponseWriter, r *http.Request, provid
 		// If the provider does not support nonces, we don't do validation and return the claim.
 		// This case only applies to Apple, as some of their devices do not support nonces.
 		// https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
-	} else if idTokenNonce == "" {
-		// A nonce was present in the JWT token, but no nonce was submitted in the flow
-		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider"))
-	} else if idTokenNonce != claims.Nonce {
-		// The nonce from the JWT token does not match the nonce from the flow.
-		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token"))
-	}
-	// Nonce checking was successful
+	}
 
 	return claims, nil
 }

selfservice/strategy/oidc/strategy_login.go

@@ -238,7 +238,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
 	}
 
 	if p.IDToken != "" {
-		claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce)
+		claims, err := s.processIDToken(w, r, provider, p.IDToken)
 		if err != nil {
 			return nil, s.handleError(w, r, f, pid, nil, err)
 		}

selfservice/strategy/oidc/strategy_registration.go

@@ -196,7 +196,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat
 	}
 
 	if p.IDToken != "" {
-		claims, err := s.processIDToken(w, r, provider, p.IDToken, p.IDTokenNonce)
+		claims, err := s.processIDToken(w, r, provider, p.IDToken)
 		if err != nil {
 			return s.handleError(w, r, f, pid, nil, err)
 		}

selfservice/strategy/oidc/strategy_test.go

@@ -800,23 +800,6 @@ func TestStrategy(t *testing.T) {
 					require.Equal(t, "No nonce was included in the id_token but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
 				},
 			},
-			{
-				name: "should fail if no nonce is supplied in request",
-				idToken: `{
-					"iss": "https://appleid.apple.com",
-					"sub": "{{sub}}",
-					"nonce": "{{nonce}}"
-				}`,
-				v: func(provider, token, _ string) url.Values {
-					return url.Values{
-						"id_token": {token},
-						"provider": {provider},
-					}
-				},
-				expect: func(t *testing.T, res *http.Response, body []byte) {
-					require.Equal(t, "No nonce was provided but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
-				},
-			},
 			{
 				name: "should pass if claims are valid",
 				idToken: `{
@@ -828,17 +811,6 @@ func TestStrategy(t *testing.T) {
 					require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body)
 				},
 			},
-			{
-				name: "nonce mismatch",
-				idToken: `{
-					"iss": "https://appleid.apple.com",
-					"sub": "{{sub}}",
-					"nonce": "random-nonce"
-				}`,
-				expect: func(t *testing.T, res *http.Response, body []byte) {
-					require.Equal(t, "The supplied nonce does not match the nonce from the id_token", gjson.GetBytes(body, "error.reason").String(), "%s", body)
-				},
-			},
 		} {
 			tc := tc
 			t.Run(fmt.Sprintf("flow=registration/case=%s", tc.name), func(t *testing.T) {