OIDC Access Application Bug Report - Nonce not present in id_token when set in auth

I am trying to set up Vault’s OIDC Auth as an Access OIDC application.

In the authentication request, a nonce was included:

https://team.cloudflareaccess.com/cdn-cgi/access/sso/oidc/REDACTED/authorization?client_id=582c9a6034c3912281f3189aca64d555e99eebd9d3c4065428fc54e74c3f7340&code_challenge=HKz4zZU2DxcLtyPAlGdnXxlBJ-AYKsrlzfErDatSAVw&code_challenge_method=S256&nonce=n_z2wLDsosOEYn6HQf5fVI&redirect_uri=https%3A%2F%2Fvault.company.com%3A8200%2Fui%2Fvault%2Fauth%2Fcloudflare%2Foidc%2Fcallback&response_type=code&scope=openid+profile+groups+email&state=st_OqZDw0WKOL7HSuNLY9Qn

Note that the nonce is n_z2wLDsosOEYn6HQf5fVI.

When the relying part takes the code and exchanges it for a token, this is the id_token that is returned:

{
  "jti": "tgTDIPQc98nRUUU2TyrxCsJ3QdGQUX9r",
  "aud": "REDACTED",
  "iss": "https://team.cloudflareaccess.com/cdn-cgi/access/sso/oidc/REDACTED",
  "sub": "REDACTED",
  "amr": [
    "rsa",
    "mfa"
  ],
  "exp": 1716287870,
  "iat": 1716287570,
  "email": "REDACTED,
  "name": "REDACTED",
  "groups": [
    "REDACTED",
  ]
}

Note that the JWT is missing the nonce, even though one was provided to the authentication request.

According to the spec, If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. .

As the nonce is missing from the JWT, it breaks relying parties that have implemented the spec, causing the log in to fail.

1 Like

Thanks for catching this - we’ve since released an update to Access that fixes this issue and includes the nonce in the resulting ID token.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.