Use nonce in Authentication Code Flow (#184)

2015-03-17 12:56:11 +00:00 · 2015-03-17 12:56:11 +00:00 · 4e7f4eb85e
commit 4e7f4eb85e
parent 89e3678bdf
1 changed files with 4 additions and 1 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@ -186,9 +186,11 @@ sub issuerForUnAuthUser {
            acr => $id_token_acr,    # Authentication Context Class Reference
            azp => $client_id,       # Authorized party
                                     # TODO amr
-                                     # TODO nonce
        };

+        my $nonce = $codeSession->data->{nonce};
+        $id_token_payload_hash->{nonce} = $nonce if defined $nonce;
+
        # Create ID Token
        my $id_token = $self->createIDToken( $id_token_payload_hash, $rp );

@ -467,6 +469,7 @@ sub issuerForAuthUser {
                    scope           => $oidc_request->{'scope'},
                    user_session_id => $session_id,
                    _utime          => time,
+                    nonce           => $oidc_request->{'nonce'},
                }
            );