Details
-
Task
-
Resolution: Fixed
-
P2: Important
-
None
-
None
-
All
-
8
-
62feb2e82 (dev)
-
Foundation Sprint 115, Foundation Sprint 116, Foundation Sprint 117
Description
OpenIDConnect core specification defines an OPTIONAL 'nonce' request parameter.
The purpose for the 'nonce' is to mitigate replay attacks; the returned "ID token" (JWT) contains the same "nonce".
qtnetworkauth should add convenience support for this. Note that the QAbstractOAuth class does have a /protected/ function
static QByteArray generateRandomString(quint8 length);
which can very likely be used for this purpose.
While the OpenIDConnect marks the parameters as optional, many OAuth providers mark it as REQUIRED (see eg.
Facebook or Google).
Attachments
Issue Links
- clones
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-124336 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 590573,12 | Add 'nonce' support for OAuth2 | dev | qt/qtnetworkauth | Status: MERGED | +2 | 0 |