-
Notifications
You must be signed in to change notification settings - Fork 4
nonce and state minimum length of 32 characters is not met #1
Comments
@jricher tagging you for awareness |
Thanks for reporting this. Looks like that nonce creation function should create a 32 character nonce instead. Pull requests are welcome, of course! |
@brodygov I may have some time to get a PR in. The only information I can find about state and nonce length requirements is in the OIDC iGov profile[1] which says "Must contain a sufficient amount of entropy to avoid guessing." Any insight on how/why the length requirement was chosen at Login.gov? That might be helpful to shape how a PR is made ie to balance backward compatibility with a configuration against security by enforcing 32 char length. |
I doubt there was any particularly strong reason to choose 32 characters. 16 bytes (128 bits) would match AES-128, 32 bytes (256 bits) would match AES-256. There's also no need to preserve compatibility, since the minimum has been 32 for production for a very long time. This repo is just intended to provide an example starting point for creating a Java OIDC service provider, not to provide an official reference implementation. |
On a related note, I have been using 'spring-security-oauth2', and my authorization request is automatically tacking on a spring-attic/spring-security-oauth#1526 The 6-character setting seems to be set here, is there a way to override this? |
Ran into an issue integrating this demo application with login.gov where the state and nonce parameters are too short. Login.gov (in the integration environment) is returning error messages stating state and nonce minimum is 32 characters.
To be clear, the docs (https://developers.login.gov/oidc/#authorization) are very clear about this requirement, but this demo (and maybe others that use the mitreid-connect) is running into this scenario.
Example error message:
Redirected error to my demo application from login.gov integration environment:
https://my-test-app.gov/openid_connect_login?error=invalid_request&error_description=State+is+too+short+%28minimum+is+32+characters%29+Nonce+is+too+short+%28minimum+is+32+characters%29&state=312ad7da3cc25
I think the source of this issue is how the nonce and state values are created in the mitreid-connect dependency of this demo app at these lines:
Nonce creation:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java#L677
State creation:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java#L698
The text was updated successfully, but these errors were encountered: