Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-124336

[OAuth OIDC] Add nonce support

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • P2: Important
    • None
    • None
    • Network: Authentication
    • None

    Description

      OpenIDConnect core specification defines an OPTIONAL 'nonce' request parameter.
      The purpose for the 'nonce' is to mitigate replay attacks; the returned "ID token" (JWT) contains the same "nonce".

      qtnetworkauth should add convenience support for this. Note that the QAbstractOAuth class does have a /protected/ function

      static QByteArray generateRandomString(quint8 length);

      which can very likely be used for this purpose.

      While the OpenIDConnect marks the parameters as optional, many OAuth providers mark it as REQUIRED (see eg.
      Facebook or Google).

      Attachments

        Issue Links

          clones

          Task - A task that needs to be done. QTBUG-124327 [OAuth] PKCE support

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • In Review
          is cloned by

          Task - A task that needs to be done. QTBUG-124337 [OAuth] Improve nonce-generation

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Reported
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              vuokko Juha Vuolle
              vuokko Juha Vuolle
              Vladimir Minenko Vladimir Minenko
              Alex Blasche Alex Blasche
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes