Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-29986

[8.1.0.GA] - (8.0.z) ELY-2903 - Fix for CVE-2024-12369 (ELY-2887) breaks OIDC usage with refresh tokens

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      The fix for CVE-2024-12369 [ELY-2887, [1]] in Wildfly 36 and JBoss EAP 8.0.7 breaks OIDC usage with AWS Cognito (and maybe other OIDC providers).

      The reason is that the ID token provided by Cognito does not contain a nonce claim (the nonce is only present in the initial request, not in the refresh requests). Cognito does not do this because (in my understanding) Cognito uses the Authorization Code Flow (see [2] or [3]) and thus this is not required.

      [1] https://issues.redhat.com/browse/ELY-2887
      [2] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
      [3] https://community.auth0.com/t/is-nonce-requried-for-the-authoziation-code-flow/111419

      I guess that the reason is that the following code does not send a nonce:

              rsearls r searls
              rhn-support-ivassile Ilia Vassilev
              Krystof Stekovic Krystof Stekovic
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: