Squashed commit of the following:

github-actions[bot] · maoanran · commit e0d538a193e5 · 2025-03-14T15:32:41.000+01:00
commit 42c5270 Author: splaunov <splaunov@gmail.com> Date: Thu Jul 11 13:54:56 2024 +0300 fix: IDToken nonce should not be checked (PS-385)
diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go
@@ -751,14 +751,7 @@ func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, i
 		// If the provider does not support nonces, we don't do validation and return the claim.
 		// This case only applies to Apple, as some of their devices do not support nonces.
 		// https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
-	} else if idTokenNonce == "" {
-		// A nonce was present in the JWT token, but no nonce was submitted in the flow
-		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider"))
-	} else if idTokenNonce != claims.Nonce {
-		// The nonce from the JWT token does not match the nonce from the flow.
-		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token"))
-	}
-	// Nonce checking was successful
+	}
 
 	return claims, nil
 }
diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go
@@ -984,23 +984,6 @@ func TestStrategy(t *testing.T) {
 					require.Equal(t, "No nonce was included in the id_token but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
 				},
 			},
-			{
-				name: "should fail if no nonce is supplied in request",
-				idToken: `{
-					"iss": "https://appleid.apple.com",
-					"sub": "{{sub}}",
-					"nonce": "{{nonce}}"
-				}`,
-				v: func(provider, token, _ string) url.Values {
-					return url.Values{
-						"id_token": {token},
-						"provider": {provider},
-					}
-				},
-				expect: func(t *testing.T, res *http.Response, body []byte) {
-					require.Equal(t, "No nonce was provided but is required by the provider", gjson.GetBytes(body, "error.reason").String(), "%s", body)
-				},
-			},
 			{
 				name: "should pass if claims are valid",
 				idToken: `{
@@ -1012,17 +995,6 @@ func TestStrategy(t *testing.T) {
 					require.NotEmpty(t, gjson.GetBytes(body, "session_token").String(), "%s", body)
 				},
 			},
-			{
-				name: "nonce mismatch",
-				idToken: `{
-					"iss": "https://appleid.apple.com",
-					"sub": "{{sub}}",
-					"nonce": "random-nonce"
-				}`,
-				expect: func(t *testing.T, res *http.Response, body []byte) {
-					require.Equal(t, "The supplied nonce does not match the nonce from the id_token", gjson.GetBytes(body, "error.reason").String(), "%s", body)
-				},
-			},
 		} {
 			tc := tc
 			t.Run(fmt.Sprintf("flow=registration/case=%s", tc.name), func(t *testing.T) {
