Skip to content

Disabling Nonce using 12.1.0 version #1143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nishyanthp opened this issue Oct 4, 2021 · 2 comments
Open

Disabling Nonce using 12.1.0 version #1143

nishyanthp opened this issue Oct 4, 2021 · 2 comments
Labels
question For tagging support requests and general questions.

Comments

@nishyanthp
Copy link

nishyanthp commented Oct 4, 2021
edited by jeroenheijmans
Loading

In one of my Angular applications I implemented AuthCode flow using angualr-oauth2-oidc version 10. I had a situation to disable nonce checks, so I have upgraded the package to 12.1.0 version, since we have disableNonceCheck property in the LoginOptions class.

After updating the package and set the disableNonceCheck = true, the application is not redirecting to Identity Provider login page. Below is the code I have used:

var options = new LoginOptions();
options.disableNonceCheck = true;

this.oauthService.tryLoginCodeFlow(options).then(info => {
   // logic
})

To make work I made a small tweak in angular-oauth2-oidc.js file in following location "node_modules\angular-oauth2-oidc\fesm2015". On tryLoginCodeFlow method

Original Code:

if (!options.disableNonceCheck) {
            if (!nonceInState) {
                return Promise.resolve();
            }
            if (!options.disableOAuth2StateCheck) {
                const success = this.validateNonce(nonceInState);
                if (!success) {
                    const event = new OAuthErrorEvent('invalid_nonce_in_state', null);
                    this.eventsSubject.next(event);
                    return Promise.reject(event);
                }
            }
          
            this.storeSessionState(sessionState);
            if (code) {
                return this.getTokenFromCode(code, options).then((_) => null);
            }
            else {
                return Promise.resolve();
            }
       }
    }

Updated Code:

if (!options.disableNonceCheck) {
            if (!nonceInState) {
                return Promise.resolve();
            }
            if (!options.disableOAuth2StateCheck) {
                const success = this.validateNonce(nonceInState);
                if (!success) {
                    const event = new OAuthErrorEvent('invalid_nonce_in_state', null);
                    this.eventsSubject.next(event);
                    return Promise.reject(event);
                }
            }
          }
            this.storeSessionState(sessionState);
            if (code) {
                return this.getTokenFromCode(code, options).then((_) => null);
            }
            else {
                return Promise.resolve();
            }
    }

I have closed curly braces for nonce check(!options.disableNonceCheck) before this.storeSessionState(sessionState) line, once this changes done it started working.

We have option of disabling Nonce check, but its stopping the website to load.

Please let me know thoughts on this.
@jeroenheijmans jeroenheijmans added the question For tagging support requests and general questions. label Oct 4, 2021
@rsi21
Copy link

rsi21 commented Jan 27, 2022

Hi,

In fact i'm facing the same issue right now, i need also to disable Nonce check for a specific environment and it makes the code flow to an error. I tried with 12.1.0 and with latest version too.

But in fact, as pointed by @nishyanthp, when the option disableNonceCheck is true, the only possible exit in code function tryLoginCodeFlow is the Promise.reject().

Promise.reject() was not present in version 12.1.0, but issue is the same as the flow is interrupted in both cases.

@LucasG04
Copy link

There is an open PR to solve this issue: #1211

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question For tagging support requests and general questions.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeroenheijmans @rsi21 @LucasG04 @nishyanthp