nuts-node icon indicating copy to clipboard operation
nuts-node copied to clipboard
verified publisher icon nuts-foundation

Check nonce re-usage prevention

Open woutslakhorst opened this issue 1 year ago • 3 comments

In lots of OAuth2 protocol parts we need to check a nonce is used once. This is not done everywhere (yet)

woutslakhorst avatar Apr 19 '24 08:04 woutslakhorst

this applies to other SessionStores too, like userRedirectStore and authzRequestObjectStore. Perhaps add a convenience function on the SessionStore interface that combines Get and Delete, or let Delete also return the value...

gerardsn avatar Apr 30 '24 14:04 gerardsn

or let Delete also return the value...

sounds like a valuable addition

woutslakhorst avatar May 06 '24 06:05 woutslakhorst

this consists of 2 parts

  1. burn single use entries from local session storage after it has been used
  2. temporarily store nonce/jti values received from other parties to prevent replay

The second is a bit harder since it requires going through all code/flows to see where these values are received.

gerardsn avatar May 15 '24 11:05 gerardsn