Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-124336

[OAuth OIDC] Add nonce support

    XMLWordPrintable

Details

    Description

      OpenIDConnect core specification defines an OPTIONAL 'nonce' request parameter.
      The purpose for the 'nonce' is to mitigate replay attacks; the returned "ID token" (JWT) contains the same "nonce".

      qtnetworkauth should add convenience support for this. Note that the QAbstractOAuth class does have a /protected/ function

      static QByteArray generateRandomString(quint8 length);
      

      which can very likely be used for this purpose.

      While the OpenIDConnect marks the parameters as optional, many OAuth providers mark it as REQUIRED (see eg.
      Facebook or Google).

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              vuokko Juha Vuolle
              vuokko Juha Vuolle
              Vladimir Minenko Vladimir Minenko
              Alex Blasche Alex Blasche
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes