-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
The fix for CVE-2024-12369 [ELY-2887, [1]] in Wildfly 36 and JBoss EAP 8.0.7 breaks OIDC usage with AWS Cognito (and maybe other OIDC providers).
The reason is that the ID token provided by Cognito does not contain a nonce claim (the nonce is only present in the initial request, not in the refresh requests). Cognito does not do this because (in my understanding) Cognito uses the Authorization Code Flow (see [2] or [3]) and thus this is not required.
[1] https://issues.redhat.com/browse/ELY-2887
[2] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
[3] https://community.auth0.com/t/is-nonce-requried-for-the-authoziation-code-flow/111419
I guess that the reason is that the following code does not send a nonce:
- clones
-
ELY-2903 Fix for CVE-2024-12369 (ELY-2887) breaks OIDC usage with refresh tokens
-
- Resolved
-
-
JBEAP-29983 (8.1.z) ELY-2903 - Fix for CVE-2024-12369 (ELY-2887) breaks OIDC usage with refresh tokens
-
- Closed
-
- is blocked by
-
JBEAP-29986 [8.1.0.GA] - (8.0.z) ELY-2903 - Fix for CVE-2024-12369 (ELY-2887) breaks OIDC usage with refresh tokens
-
- Verified
-
- is incorporated by
-
JBEAP-29999 (8.0.z) Upgrade WildFly Elytron from 2.2.10.Final-redhat-00001 to 2.2.11.Final-redhat-00001
-
- Closed
-
- links to
-
RHSA-2025:145580 Red Hat JBoss Enterprise Application Platform 8.0.8 Security update
-
RHSA-2025:145581 Red Hat JBoss Enterprise Application Platform 8.0.8 Security update
-
RHSA-2025:145582 Red Hat JBoss Enterprise Application Platform 8.0.8 Security update