Add nonce to request (#16563)

2026-04-25 03:00:53 -04:00 · 2022-11-22 15:02:38 +00:00
parent 12786728ed
commit f3e4ae0b6f
1 changed files with 3 additions and 1 deletions
--- a/api/src/auth/drivers/openid.ts
+++ b/api/src/auth/drivers/openid.ts
@@ -99,6 +99,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
 				code_challenge_method: 'S256',
 				// Some providers require state even with PKCE
 				state: codeChallenge,
+				nonce: codeChallenge,
 			});
 		} catch (e) {
 			throw handleError(e);
@@ -126,10 +127,11 @@ export class OpenIDAuthDriver extends LocalAuthDriver {

 		try {
 			const client = await this.client;
+			const codeChallenge = generators.codeChallenge(payload.codeVerifier);
 			tokenSet = await client.callback(
 				this.redirectUrl,
 				{ code: payload.code, state: payload.state },
-				{ code_verifier: payload.codeVerifier, state: generators.codeChallenge(payload.codeVerifier) }
+				{ code_verifier: payload.codeVerifier, state: codeChallenge, nonce: codeChallenge }
 			);
 			userInfo = tokenSet.claims();