Merge pull request #98 from DuendeSoftware/brock/nonce_validation_onl…

…y_when_id_token Remove nonce requirement when no id_token requested from authorize endpoint
DuendeSoftware · Feb 3, 2021 · fcd12ab · fcd12ab
2 parents 6240997 + b0aab9a
commit fcd12ab
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs b/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs
@@ -15,6 +15,7 @@
 using Duende.IdentityServer.Configuration;
 using Duende.IdentityServer.Logging.Models;
 using Duende.IdentityServer.Services;
+using static Duende.IdentityServer.IdentityServerConstants;
 
 namespace Duende.IdentityServer.Validation
 {
@@ -703,15 +704,10 @@ private async Task<AuthorizeRequestValidationResult> ValidateOptionalParametersA
             }
             else
             {
-                if (request.GrantType == GrantType.Implicit ||
-                    request.GrantType == GrantType.Hybrid)
+                if (request.ResponseType.FromSpaceSeparatedString().Contains(TokenTypes.IdentityToken))
                 {
-                    // only openid requests require nonce
-                    if (request.IsOpenIdRequest)
-                    {
-                        LogError("Nonce required for implicit and hybrid flow with openid scope", request);
-                        return Invalid(request, description: "Invalid nonce");
-                    }
+                    LogError("Nonce required for flow with id_token response type", request);
+                    return Invalid(request, description: "Invalid nonce");
                 }
             }
 

diff --git a/...er.UnitTests/Validation/AuthorizeRequest Validation/Authorize_ProtocolValidation_Valid.cs b/...er.UnitTests/Validation/AuthorizeRequest Validation/Authorize_ProtocolValidation_Valid.cs
@@ -151,6 +151,22 @@ public async Task Valid_OpenId_IdToken_Token_With_FormPost_ResponseMode_Request(
             result.IsError.Should().BeFalse();
         }
 
+        [Fact]
+        [Trait("Category", Category)]
+        public async Task Valid_OpenId_Code_Token_Request()
+        {
+            var parameters = new NameValueCollection();
+            parameters.Add(OidcConstants.AuthorizeRequest.ClientId, "hybridclient");
+            parameters.Add(OidcConstants.AuthorizeRequest.Scope, "openid");
+            parameters.Add(OidcConstants.AuthorizeRequest.RedirectUri, "https://server/cb");
+            parameters.Add(OidcConstants.AuthorizeRequest.ResponseType, OidcConstants.ResponseTypes.CodeToken);
+
+            var validator = Factory.CreateAuthorizeRequestValidator();
+            var result = await validator.ValidateAsync(parameters);
+
+            result.IsError.Should().BeFalse();
+        }
+
         [Fact]
         [Trait("Category", Category)]
         public async Task Valid_ResponseMode_For_Code_ResponseType()