Add a OIDC.REQUIRE_NONCE option to improve compatibility with clients

CHANGES.rst

@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
 The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.0.0/>`_,
 and this project adheres to `Semantic Versioning <https://semver.org/spec/v2.0.0.html>`_.
 
+Added
+*****
+
+- Configuration option to disable the forced usage of OIDC nonce :pr:`143`
+
 [0.0.30] - 2023-07-06
 =====================
 

canaille/config.sample.toml

@@ -185,6 +185,10 @@ WRITE = [
 #     "xxxxxxx-yyyyyyy-zzzzzz",
 # ]
 
+# REQUIRE_NONCE force the nonce exchange during the authentication flows.
+# This adds security but may not be supported by all clients.
+# REQUIRE_NONCE = true
+
 [OIDC.JWT]
 # PRIVATE_KEY_FILE and PUBLIC_KEY_FILE are the paths to the private and
 # the public key. You can generate a RSA keypair with:

canaille/oidc/oauth.py

@@ -435,7 +435,12 @@ def setup_oauth(app):
 
     authorization.register_grant(
         AuthorizationCodeGrant,
-        [OpenIDCode(require_nonce=True), CodeChallenge(required=True)],
+        [
+            OpenIDCode(
+                require_nonce=app.config.get("OIDC", {}).get("REQUIRE_NONCE", True)
+            ),
+            CodeChallenge(required=True),
+        ],
     )
     authorization.register_grant(OpenIDImplicitGrant)
     authorization.register_grant(OpenIDHybridGrant)

demo/conf-docker/canaille.toml

@@ -191,9 +191,10 @@ DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
     "xxxxxxx-yyyyyyy-zzzzzz",
 ]
 
-# The jwt configuration. You can generate a RSA keypair with:
-# openssl genrsa -out private.pem 4096
-# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
+# REQUIRE_NONCE force the nonce exchange during the authentication flows.
+# This adds security but may not be supported by all clients.
+# REQUIRE_NONCE = true
+
 [OIDC.JWT]
 # PRIVATE_KEY_FILE and PUBLIC_KEY_FILE are the paths to the private and
 # the public key. You can generate a RSA keypair with:

demo/conf/canaille.toml

@@ -195,6 +195,10 @@ DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
     "xxxxxxx-yyyyyyy-zzzzzz",
 ]
 
+# REQUIRE_NONCE force the nonce exchange during the authentication flows.
+# This adds security but may not be supported by all clients.
+# REQUIRE_NONCE = true
+
 [OIDC.JWT]
 # PRIVATE_KEY_FILE and PUBLIC_KEY_FILE are the paths to the private and
 # the public key. You can generate a RSA keypair with:

doc/configuration.rst

@@ -197,6 +197,11 @@ OIDC
 :DYNAMIC_CLIENT_REGISTRATION_TOKENS:
     *Optional.* A list of tokens that can be used for dynamic client registration
 
+:REQUIRE_NONE:
+    *Optional.* Forces the nonce exchange during the authentication flows.
+    This adds security but may not be supported by all clients.
+    Defaults to ``True``
+
 OIDC.JWT
 --------
 Canaille needs a key pair to sign the JWT. The installation command will generate a key pair for you, but you can also do it manually. In debug mode, a in-memory keypair will be used.