ID Token parsing and OpenID RP Certification

[WilliamDenniss]

ID Token Parsing

• The 5 required fields are exposed as params.
• Authorization code exchange exchange now validates the ID Token iss, aud, and iat claims.

OpenID RP Certification Tests

Response Type and Response Mode

• rp-response_type-code

scope Request Parameter

• rp-scope-userinfo-claims

nonce Request Parameter

• rp-nonce-invalid

Client Authentication

• rp-token_endpoint-client_secret_basic

ID Token

• rp-id_token-aud
• rp-id_token-kid-absent-single-jwks*
• rp-id_token-sig-none
• rp-id_token-issuer-mismatch
• rp-id_token-kid-absent-multiple-jwks*
• rp-id_token-bad-sig-rs256*
• rp-id_token-iat
• rp-id_token-sig-rs256*
• rp-id_token-sub

*AppAuth for iOS & macOS only supports alg:none validation.

UserInfo Endpoint

• rp-userinfo-bad-sub-claim
• rp-userinfo-bearer-header

Fixes:

#4 Support "nonce" OpenID Connect auth request parameter.
#17 Support JWT decoding and validation (conditional: alg:none based validation only).
#102 OpenID Connect RP Conformance Testing.

[ve7jtb]

The issuer always needs to be validated. If not doing discovery then the issuer would need to be statically along with Authorization endpoint etc.

[WilliamDenniss]

Added the ability to manually specify issuer when not using discovery.

[codecov-io]

Codecov Report

Merging #101 into master will increase coverage by 6.47%.
The diff coverage is 89.34%.

@@            Coverage Diff             @@
##           master     #101      +/-   ##
==========================================
+ Coverage   66.84%   73.32%   +6.47%     
==========================================
  Files          54       57       +3     
  Lines        4217     4795     +578     
==========================================
+ Hits         2819     3516     +697     
+ Misses       1398     1279     -119

Impacted Files	Coverage Δ
Source/OIDAuthorizationService.h	0% <ø> (ø)	⬆️
Source/OIDTokenResponse.h	100% <ø> (ø)	⬆️
Source/OIDAuthState.m	46.99% <0%> (+3.73%)	⬆️
Source/OIDAuthorizationRequest.h	100% <100%> (ø)	⬆️
Source/OIDServiceConfiguration.h	100% <100%> (+25%)	⬆️
UnitTests/OIDAuthorizationRequestTests.m	100% <100%> (ø)	⬆️
Source/OIDAuthorizationRequest.m	86.04% <33.33%> (-7.34%)	⬇️
Source/OIDServiceConfiguration.m	78.4% <72.72%> (-14.02%)	⬇️
Source/OIDIDToken.h	75% <75%> (ø)
Source/OIDAuthorizationService.m	62.22% <80.39%> (+45.18%)	⬆️
... and 14 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c16ebbe...e30ea9d. Read the comment docs.

[zboralski]

any update?

[WilliamDenniss]

Updated the documentation & code comments for the ID Token features. Should be good to go now.

Here is a good summary (taken from the code) of the validation that is performed. Basically we are following the OpenID Connect specification for verification of ID Tokens on the code flow, with the important note that we are exercising the option to rely only on the TLS validation of the direct connection between the token endpoint and client, and are not performing JWT signature verification (users of AppAuth are welcome to add this themselves, should they wish).

// If an ID Token is included in the response, validates the ID Token following the rules
// in OpenID Connect Core Section 3.1.3.7 for features that AppAuth directly supports
// (which excludes rules #1, #4, #5, #7, #8, #12, and #13). Regarding rule #6, ID Tokens
// received by this class are received via direct communication between the Client and the Token
// Endpoint, thus we are exercising the option to rely only on the TLS validation. AppAuth
// has a zero dependencies policy, and verifying the JWT signature would add a dependency.
// Users of the library are welcome to perform the JWT signature verification themselves should
// they wish.

[jakeholland]

@WilliamDenniss - Need anything else for this? I have a project in flight this would be great for.

[zboralski]

Any progress on this? Do you need any help?

[zboralski]

@WilliamDenniss @StevenEWright What's the status of this pull request?

[StevenEWright]

@zboralski thank you for the ping. Ugh. Looks like I really dropped the ball on this. I’m sorry. I will look tonight.

[StevenEWright]

General Question... where do we stand on Swift support? Have you had a chance to test the new APIs with Swift? Do they look OK?

[StevenEWright]

How picky are we about colon alignment and style issues these days? I've seen a lot of people adopt clang-format, and I've been using it myself. It can be configured to mostly mirror our style guide. Nice to not have to worry about this stuff as much.

[WilliamDenniss]

You'll be pleased to know we're still picky. I took another stab at it, this one is kind of hard to fit in, PTAL. If you have any guidance please let me know.

[StevenEWright]

Looks like this is supposed to be a nullable field. Shouldn't it be:

NSString *_Nullable _nonce;

?

But I realize we don't have nullability attributes on the other property-backing ivars either. Am surprised this hasn't raised warnings / etc. Obviously I am not suggesting we deal with or "fix" this issue here. Mostly a question more so than a comment.

[WilliamDenniss]

Hmm, at least the property itself is declared as nullable. I hope to remove this code in the near future, once 32bit is gone.

[StevenEWright]

+4

[WilliamDenniss]

Done

[StevenEWright]

Just curious - I know we have other date/time related validations which take the local clock into account, but this seems like it may be the most specific. Is that true? I don't know why, on an iOS device, someone would have clock skew on the order of minutes - especially considering iPhones in particular should have fairly constant network connectivity, and should be getting their clocks updated regularly - but hypothetically if someone's clock were off by a couple minutes, would you expect this to have a chance of failing for that reason where-as it wouldn't before? (Reiterating it's just a question for my own edification, not that I see it as a problem/issue.)

[WilliamDenniss]

I don't think too many people set the time manually, I agree – but perhaps some do. I'm more concerned about server clock skew.

I don't really know what const to use here. The docs say we should "reject tokens that were issued too far away from the current time", but don't specify what "too far away" is, so I plucked 5 minutes out of the air, since it seemed short, but also long enough to account for multiple-minutes of clock skew on both sides.

[StevenEWright]

There seem to exist cases in which this field is optional? Should it be nullable here?

When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL.

[WilliamDenniss]

Appears to be required to me:

iat
REQUIRED. Time at which the JWT was issued. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

I think you're quoting from auth_time?

[StevenEWright]

In this case it's expected value is a type of string, right? You've been so diligent about checking types... do we want to check that as well?

[WilliamDenniss]

Done.

[StevenEWright]

dot notation for properties? (longLongValue below as well)

[WilliamDenniss]

Done.

[StevenEWright]

Should this be nullable?

@property(nonatomic, readonly, nullable) NSURL *issuer;

[WilliamDenniss]

Yes. Done.

[StevenEWright]

Should we mark init as unavailable in the header?

[WilliamDenniss]

I think we do already? - (instancetype)init NS_UNAVAILABLE;

[StevenEWright]

Looks like this is the actual designated initializer? Should we mark it as such in the header?

[WilliamDenniss]

So this method is not actually exposed in the header at all.

We're expecting people to either specify the endpoints manually, OR use a discovery doc – but not both. Do you think we should revise this?

[ghost]

Not sure if you are already aware, but there is a problem here. A nonce isn't sent with the call and then it expects one here.

[WilliamDenniss]

If the authorization request doesn't set nonce, then this check will be skipped (if (nonce &&… should achieve that). Are you sure there's a problem?

[ghost]

I have a project using this library with an IdentityServer4 server. The problem is that authorizationResponse.request.nonce is a valid nonce and idToken.nonce is null.

[WilliamDenniss]

OpenID Connect Core Section 2 states:

If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request.

I believe we are implementing this correctly in AppAuth , is there a bug in IdentityServer4?

[ghost]

I have opened a bug with IdentityServer4 here: IdentityServer/IdentityServer4#2180

[ghost]

@WilliamDenniss
Section 12.1
Does not state anything about needing a nonce to verify a Refresh Request. Not sure AppAuth is really doing the right thing here.

[WilliamDenniss]

Ah, I didn't realize you were referring the refresh token flow.

Section 12.1 is a bit ambiguous for nonce, but yeah I don't think the intention was for nonce to be required in the ID Token for the token response during refreshes. I sent a note to the Connect mailing list regarding the possible ambiguity. Google doesn't return the nonce in refreshed ID Tokens either.

I've fixed this in the PR. Thanks very much for engaging and reporting this problem!

[StevenEWright]

LGTM

[ShaneQi]

Our identify server requires mobile clients to send nonce. I verified that this branch will work for our case. Are we merging this PR in the near future?

Thanks!