Evaluate OIDC nonce support #1734
Description
Two stale PRs (#769, #770) proposed adding OIDC nonce parameter support to the client auth flow. Before reimplementing, we should evaluate whether this is an SDK responsibility.
Context:
- Add OIDC ID token support #680 added
id_tokenas an optional passthrough field inOAuthTokensSchema, explicitly with no validation: "No additional validation or processing of the ID token is performed at this time." - Add nonce support #769/Add nonce validation #770 were filed the same day Add OIDC ID token support #680 merged, adding nonce generation and validation as the security follow-up.
- The
nonceparameter binds the ID token to the client session to prevent replay attacks.
Open question:
Should the SDK validate ID tokens it passes through (nonce, signature, audience), or is that the consumer's responsibility? If SDK-side, nonce is part of that. If pure passthrough, it belongs in user-land.
Prior art: #769 (nonce generation) and #770 (nonce + audience validation) against the pre-v2 structure.