When provided the nonce is added as a claim in the returned ID token [0]. To test you need to get an access token with the 'Sign scope' (if the usage of PKCE is forced, add the mandatory parameters): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=openid&response_type=code&redirect_uri=<redirect_uri>&nonce=<nonce_value> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token and an ID token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. The ID token will have a 'nonce' claim set to the value you provided at the authorization request. Part of story #14714: be an OpenID Connect provider [0] https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation Change-Id: I6d38147b0518cef2fd72e8d0197151af6ef95c8d

+171 −38

Author

Thomas Gerbet (tgerbet) 2020-04-09 15:29

Committer

Thomas Gerbet (tgerbet) 2020-04-09 15:29

Hash 813a81c1f3d6254f54572466fa3c99c7d3818f03

Parent d2d3351ab0b10ae8a06ed181fe8965aedc1025f9

Reference git #tuleap/stable/813a81c1f3d6254f54572466fa3c99c7d3818f03