Reputation: 833
What's the nonce function on Oauth authentication process?
I'm developing a software where the login process is done using Microsoft Azure AD with Oauth2. The nonce number is optional on this process and after a successful login I receive a token that's valid for one hour.
I couldn't understand the function of nonce on this process and I'm not using it. Is my authentication less secure because of this? What's the benefits of add a nonce number on this process?
Upvotes: 5
Views: 10426
Answers (1)
Reputation: 13059
Nonce binds client and token which prevents token replay attacks.
nonce - String value used to associate a Client session with an ID Token, and to mitigate replay attacks
Think about your token endpoint and receiving token response from authorization server. As the client, how could you validate ID token to be not replayed by a malicious party? This is what nonce serves.
You add this parameter in authorization request. And in the token response, you get ID token. When you validate the token, you verify nonce inside token (JWT claims).
More from this answer
Also, depending on the flow type, nonce can be a mandatory parameter. The implicit flow and hybrid flow mandate nonce value
Upvotes: 7
Related Questions
- nonce usage in authentication
- Purpose of state and nonce in OpenID Connect Code flow
- Where to validate nonce in OAuth 2.0 Implict Flow?
- How nonce and state parameters are stored and transmitted in IdentityServer4?
- How to manage `state` nonce auth0 authorization code grant flow?
- Do we really need "oauth_nonce"?
- What is the OAuth error code to output when a nonce has already been used?
- What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
- Does OAuth 2 use nonce?
- DotNetOpenAuth - What do "Nonce" and "OpenIDAssociation" tables do?