Skip to content

Implement OIDC nonce storage and validation in auth code flow #77

New issue
New issue
Closed
Closed
Implement OIDC nonce storage and validation in auth code flow#77
Labels
security:criticalCritical severity security issue
@markwylde

Description

@markwylde
markwylde
opened on Feb 15, 2026

Summary

The authorization flow accepts nonce but does not persist or validate it when issuing ID tokens.

Evidence

  • packages/api/src/controllers/user/authorize.ts accepts nonce but does not store it in pending auth state.
  • packages/api/src/controllers/user/token.ts does not include/validate nonce during ID token issuance.

Security Impact

Without nonce binding, ID tokens can be replayed or mixed-up across authorization responses, violating OIDC Core nonce requirements.

Required Fix

  • Persist nonce with the original authorization request/code.
  • On code redemption, require exact nonce match before minting ID token.
  • Include nonce claim in ID token when provided by the original request.

Acceptance Criteria

  • Authorization code metadata contains nonce (when supplied).
  • Token endpoint rejects mismatched/missing expected nonce conditions.
  • ID token includes correct nonce claim for nonce-bearing auth requests.
  • Tests cover success and failure paths for nonce validation.

Source

Security Review dated 2026-02-15, Finding 1 (Critical).

Metadata

Metadata

Assignees

No one assigned

    Labels

    security:criticalCritical severity security issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions