Feature Request
Add a boolean toggle to disable the ID token validation
Motivation
Should be optional, as some IDMs don't provide valid ID tokens. Also useful for local development. Should be added to restore old behavior of <0.8x versions.
Description
The ID token validation that was introduced in 0.8.0 is causing an issue when trying to login to the BMW Group IDM (GCDM). For other IDM providers it is working as expected. Seems like for GCDM there's no nonce. I will likely do some more research and find out whether this is a required or an optional field and contact them.
Up until then (and probably in other cases such as #585) we would want to disable this validation inside the appauth library. For us this is fine as there is an extra ID Token validation in our backend.
Here's the code that checks this specific nonce field:
// nonc=null, expectedNonce similar to "TCCE-wWads-dasda"
if (!TextUtils.equals(this.nonce, expectedNonce)) {
throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR, new IdToken.IdTokenException("Nonce mismatch"));
}
Alternatives or Workarounds
The alternative would be to stay at 0.7.x or fork 0.8.0 and patch out the ID token check or the nonce validation.
Alternatively, for the nonce mismatch you can just set a specific nonce (null for example) to trick out the validation:
val builder = AuthorizationRequest.Builder(
serviceConfiguration,
mClientId,
RESPONSE_TYPE,
redirectUri
)
builder.setNonce(null)
Feature Request
Add a boolean toggle to disable the ID token validation
Motivation
Should be optional, as some IDMs don't provide valid ID tokens. Also useful for local development. Should be added to restore old behavior of <0.8x versions.
Description
The ID token validation that was introduced in 0.8.0 is causing an issue when trying to login to the BMW Group IDM (GCDM). For other IDM providers it is working as expected. Seems like for GCDM there's no nonce. I will likely do some more research and find out whether this is a required or an optional field and contact them.
Up until then (and probably in other cases such as #585) we would want to disable this validation inside the appauth library. For us this is fine as there is an extra ID Token validation in our backend.
Here's the code that checks this specific nonce field:
Alternatives or Workarounds
The alternative would be to stay at 0.7.x or fork 0.8.0 and patch out the ID token check or the nonce validation.
Alternatively, for the nonce mismatch you can just set a specific nonce (null for example) to trick out the validation: