Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2903

Fix for CVE-2024-12369 (ELY-2887) breaks OIDC usage with refresh tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 2.2.11.Final, 2.6.4.Final, 2.7.0.Alpha1
    • 2.6.2.Final, 2.2.9.Final, 2.7.0.Alpha1, 3.0.0.Alpha1
    • None
    • None

      The fix for CVE-2024-12369 [ELY-2887, [1]] in Wildfly 36 and JBoss EAP 8.0.7 breaks OIDC usage with AWS Cognito (and maybe other OIDC providers).

      The reason is that the ID token provided by Cognito does not contain a nonce claim (the nonce is only present in the initial request, not in the refresh requests). Cognito does not do this because (in my understanding) Cognito uses the Authorization Code Flow (see [2] or [3]) and thus this is not required.

      [1] https://issues.redhat.com/browse/ELY-2887
      [2] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
      [3] https://community.auth0.com/t/is-nonce-requried-for-the-authoziation-code-flow/111419

      I guess that the reason is that the following code does not send a nonce:

        1. screenshot-1.png
          screenshot-1.png
          101 kB

              rsearls r searls
              beth-soptim Thomas Beckers
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: