3

I'm developing a software where the login process is done using Microsoft Azure AD with Oauth2. The nonce number is optional on this process and after a successful login I receive a token that's valid for one hour.

I couldn't understand the function of nonce on this process and I'm not using it. Is my authentication less secure because of this? What's the benefits of add a nonce number on this process?

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Ranieri Mazili
  • 723
  • 6
  • 21
  • 1
    Have a look - https://stackoverflow.com/questions/46844285/difference-between-oauth-2-0-state-and-openid-nonce-parameter-why-state-cou/46859861#46859861 – Kavindu Dodanduwa Jan 30 '20 at 11:26
  • 2
    Does this answer your question? [Difference between OAuth 2.0 "state" and OpenID "nonce" parameter? Why state could not be reused?](https://stackoverflow.com/questions/46844285/difference-between-oauth-2-0-state-and-openid-nonce-parameter-why-state-cou) – 4c74356b41 Jan 30 '20 at 11:35

1 Answers1

6

Nonce binds client and token which prevents token replay attacks.

nonce - String value used to associate a Client session with an ID Token, and to mitigate replay attacks

Think about your token endpoint and receiving token response from authorization server. As the client, how could you validate ID token to be not replayed by a malicious party? This is what nonce serves.

You add this parameter in authorization request. And in the token response, you get ID token. When you validate the token, you verify nonce inside token (JWT claims).

More from this answer

Also, depending on the flow type, nonce can be a mandatory parameter. The implicit flow and hybrid flow mandate nonce value

Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • 1
    you should just vote close this, no need to duplicate answers, especially given this is your answer – 4c74356b41 Jan 30 '20 at 11:35
  • @4c74356b41 yes will do so. Only exception is the title which leads to a comparison of nonce and state. This is why I added it as an answer – Kavindu Dodanduwa Jan 30 '20 at 11:39
  • @4c74356b41 The question is not a a duplicate, it just so happens that the answer to a different question also happens to contain the answer to this question. – Philippe Signoret Jan 30 '20 at 16:16