Skip to content

Allow disabling ID Token Validation #655

Description

@carstenhag

Feature Request

Add a boolean toggle to disable the ID token validation

Motivation

Should be optional, as some IDMs don't provide valid ID tokens. Also useful for local development. Should be added to restore old behavior of <0.8x versions.

Description

The ID token validation that was introduced in 0.8.0 is causing an issue when trying to login to the BMW Group IDM (GCDM). For other IDM providers it is working as expected. Seems like for GCDM there's no nonce. I will likely do some more research and find out whether this is a required or an optional field and contact them.

Up until then (and probably in other cases such as #585) we would want to disable this validation inside the appauth library. For us this is fine as there is an extra ID Token validation in our backend.

Here's the code that checks this specific nonce field:

// nonc=null, expectedNonce similar to "TCCE-wWads-dasda"
if (!TextUtils.equals(this.nonce, expectedNonce)) {
    throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdToken.IdTokenException("Nonce mismatch"));
}

Alternatives or Workarounds

The alternative would be to stay at 0.7.x or fork 0.8.0 and patch out the ID token check or the nonce validation.

Alternatively, for the nonce mismatch you can just set a specific nonce (null for example) to trick out the validation:

val builder = AuthorizationRequest.Builder(
            serviceConfiguration,
            mClientId,
            RESPONSE_TYPE,
            redirectUri
        )
builder.setNonce(null)

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions