handler/openid: remove forced nonce (ory#185)

Signed-off-by: Wyatt Anderson <[email protected]>
budougumi0617 · Jun 28, 2017 · ea58cbf · ea58cbf
1 parent 1fc3862
commit ea58cbf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/handler/openid/flow_hybrid_test.go b/handler/openid/flow_hybrid_test.go
@@ -120,20 +120,26 @@ func TestHybrid_HandleAuthorizeEndpointRequest(t *testing.T) {
 			expectErr: fosite.ErrInvalidGrant,
 		},
 		{
-			description: "should fail because nonce was not set",
+			description: "should fail because nonce was not sufficient",
 			setup: func() {
 				areq.Client = &fosite.DefaultClient{
 					GrantTypes:    fosite.Arguments{"authorization_code", "implicit"},
 					ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
 					Scopes:        []string{"openid"},
 				}
+				areq.Form.Set("nonce", "short")
 			},
 			expectErr: fosite.ErrInsufficientEntropy,
 		},
 		{
-			description: "should fail because nonce was not set",
+			description: "should pass because nonce was set with sufficient entropy",
 			setup: func() {
-				areq.Form.Add("nonce", "some-foobar-nonce-win")
+				areq.Form.Set("nonce", "some-foobar-nonce-win")
+				areq.Client = &fosite.DefaultClient{
+					GrantTypes:    fosite.Arguments{"authorization_code", "implicit"},
+					ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
+					Scopes:        []string{"openid"},
+				}
 			},
 		},
 		{
@@ -148,8 +154,14 @@ func TestHybrid_HandleAuthorizeEndpointRequest(t *testing.T) {
 	} {
 		c.setup()
 		err := h.HandleAuthorizeEndpointRequest(nil, areq, aresp)
-		assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
-		t.Logf("Passed test case %d", k)
+		condition := errors.Cause(err) == c.expectErr
+		assert.True(t, condition, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
+		if condition {
+			t.Logf("Passed test case %d", k)
+		} else {
+			t.Logf("Failed test case %d", k)
+		}
+
 		if c.check != nil {
 			c.check()
 		}

diff --git a/handler/openid/strategy_jwt.go b/handler/openid/strategy_jwt.go
@@ -142,8 +142,9 @@ func (h DefaultStrategy) GenerateIDToken(_ context.Context, requester fosite.Req
 
 	nonce := requester.GetRequestForm().Get("nonce")
 	// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
-	// Although optional, this is considered good practice and therefore enforced.
-	if len(nonce) < fosite.MinParameterEntropy {
+	if len(nonce) == 0 {
+		// skip this check, no nonce provided
+	} else if len(nonce) < fosite.MinParameterEntropy {
 		// We're assuming that using less then 8 characters for the state can not be considered "unguessable"
 		return "", errors.WithStack(fosite.ErrInsufficientEntropy)
 	}

diff --git a/handler/openid/strategy_jwt_test.go b/handler/openid/strategy_jwt_test.go
@@ -86,7 +86,7 @@ func TestJWTStrategy_GenerateIDToken(t *testing.T) {
 					Headers: &jwt.Headers{},
 				})
 			},
-			expectErr: true,
+			expectErr: false,
 		},
 	} {
 		c.setup()