Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Wrong nonce: undefined" during login with Password grant #1324

Open
ali-kashanian opened this issue Mar 29, 2023 · 10 comments · May be fixed by #1455
Open

"Wrong nonce: undefined" during login with Password grant #1324

ali-kashanian opened this issue Mar 29, 2023 · 10 comments · May be fixed by #1455

Comments

@ali-kashanian
Copy link

ali-kashanian commented Mar 29, 2023
edited
Loading

Hello,

I have recently upgraded my project to Angular v14 and oidc package to 14.0.1. I am using a combination of Password and Code flows in my project. The configuration I use is as follows:

{
    issuer: '<Domain>',
    redirectUri: '<Redirect URL>',
    clientId: '<Client Id>',
    tokenEndpoint: '<Token URL>',
    loginUrl: '<Authorize URL>',
    useSilentRefresh: false,
    responseType: 'code',
    scope: 'openid profile offline_access <some more custom scopes>',
}

I started experiencing the following error after I upgraded my project to v14.0.1 when calling fetchTokenUsingPasswordFlow():

ERROR Error: Uncaught (in promise): Wrong nonce: undefined

In the Developer console, there is a warning right before the error:

Wrong nonce: undefined
    processIdToken
    (anonymous)
    ...

After looking at the source code, I found out that the error is coming from the following chain of method calls:

oauth-service.ts:824 > fetchTokenUsingPasswordFlow():833 > fetchTokenUsingGrant():903 > processIdToken():2240

It seems like the skipNonceCheck parameter of the processIdToken() method is not set. I'm not quite sure whether we need nonce for Password grant, but looking at line 971 where processIdToken() is used for refresh_token grant, the skipNonceCheck parameter is set to true.

Is this a bug or am I missing any configuration?
@TiBz0u
Copy link

TiBz0u commented Mar 29, 2023

Hi @ali-kashanian,
We encounter the same problem this morning (nice timing with your ticket ^^).
We manage to fix that by disabling OIDC (temporary) in the AuthConfig. Therefore, the idToken nonce is not checked anymore.
Kr.

@ali-kashanian
Copy link
Author

Hi @TiBz0u,
Thanks for the response. I think with OIDC disabled, the processIdToken is bypassed and the idToken won't be saved in the storage. Even though the initial login has this error, the refresh token is fine and it will pass the nonce check and save the idToken.
I'm not quite sure how the saved idToken is used throughout this project. Won't it cause more problem down the road?

@TiBz0u
Copy link

TiBz0u commented Apr 5, 2023

Hi @ali-kashanian, sorry for late response.
I had a side effect at my side by disabling it. I'm not able anymore to resolve the claim via getIdentityClaims() function. I didn't find an alternative to get the claim from the accessToken. So I mock it for the moment.
So the fix will still be appreciate at my side.

@apetrut
Copy link

apetrut commented May 2, 2023

@TiBz0u @ali-kashanian Have you found a solution to this issue? I am also getting this error.

@ali-kashanian
Copy link
Author

Unfortunately, no. I was hoping that someone from the developer team would reach out.
For now, the only temporary solution is to disable OIDC.

@matze1234
Copy link

+1

1 similar comment
@Kirollosangly
Copy link

+1

@Kr1si
Copy link

Kr1si commented Oct 2, 2024

Still an issue, so I am here just to bump this.

@jwgmeligmeyling jwgmeligmeyling linked a pull request Dec 9, 2024 that will close this issue
Open
@jwgmeligmeyling
Copy link

Provided a fix for this in #1455

@ali-kashanian
Copy link
Author

ali-kashanian commented Mar 19, 2025
edited
Loading

I found a workaround for this while we're waiting on the PR to hopefully get merged and released. There is a method in the OAuthService called "createAndSaveNonce()". Although it's marked as public, there is no documentation about it and there might be a chance that it goes away in the future releases. Instead of calling "fetchTokenUsingPasswordFlow()", I use the "fetchTokenUsingGrant()" method with grant_type: password:

this.oAuthService
    .createAndSaveNonce()
    .then((nonce: string) => 
        this.oAuthService.fetchTokenUsingGrant(
            'password', 
            { username: username, password: password, nonce: nonce },
            headers))

The server should add the nonce to the Id Token if it's it's provided in the authentication request (https://openid.net/specs/openid-connect-core-1_0.html#IDToken)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Skip nonce check when using password grant jwgmeligmeyling/angular-oauth2-oidc
7 participants
@TiBz0u @jwgmeligmeyling @matze1234 @apetrut @ali-kashanian @Kr1si @Kirollosangly