Nonce parameter in OpenID Connect

★★★ お知らせ ★★★

◆ 6月のPS Liveは決済サービスStripeのデモ!◆
決済サービスのStripeでサブスクリプションの支払い機能を作ってみた
Stripeの機能の一部を切り出して、簡単なサブスクリプションを作るとどうなるのかを、デモをまじえてご紹介します。
⇒ 詳細はこちらから

◆【セミナー開催】 可視化ツールGrafana~初めてのダッシュボード作成◆
デモンストレーション付き!
本セミナーでは、売上データを用いて、4種類のパネル作成方法をお見せします。
⇒ お申込みはこちらから

◆ エンジニア業務環境アンケート結果 ◆
エンジニアが自分の働き方にどういったことで満足していて、不満を感じているのか、働きたい会社像として何を求めているのか、業務環境調査を実施しました。ぜひご覧ください。
⇒ アンケート結果はこちらから

This post describe the purpose of nonce parameter in OpenID Connect.

In short, nonce parameter prevent a malicious user from Replay Attack which is a category of network attack in which an attacker detects a data transmission and fraudulently has it delayed or repeated.

I will try to explain nonce parameter as clearly as I can.

when not using nonce parameter

At first, I’ll show you characters in this post.

Screen Shot 2019-02-25 at 10.27.50 SNS1:Relying Party who is Authenticated by OpenID Connect Provider.
Screen Shot 2019-02-25 at 10.27.56SNS2:OpenID Connect Provider who provides Authentication to Relying Party.
Screen Shot 2019-02-25 at 10.27.41A-san:a user of SNS1
Screen Shot 2019-02-25 at 12.14.47Attacker:attacker who is trying to do Replay Attack.

 

A-san accesses to SNS1 via Web Browser.

Screen Shot 2019-02-26 at 23.47.19

 

SNS1 redirects A-san to SNS2 Authorization Endpoint.

Screen Shot 2019-02-26 at 23.47.57

 

SNS2 shows A-san Login Page.A-san logs in to SNS1.

Screen Shot 2019-02-26 at 23.48.58

 

SNS2 redirect A-san to Callback URL pre-configured with a query parameter of the Authorization Code.

Screen Shot 2019-02-26 at 23.52.46

 

SNS1 exchanges Authorization Code for ID Token by requesting Token Endpoint.

Screen Shot 2019-02-26 at 23.57.16

 

SNS1 issues ID Token to SNS2,while the attacker intercepts the traffic between SNS1 and SNS2 and gets ID Token.

Screen Shot 2019-02-27 at 0.05.34

 

The attacker sends ID Token obtained previously to SNS1.SNS2 receives the ID Token, verifies it and find it correct one.SNS1 has no way to know that the ID Token is send from the attacker.It’s because iss,sub and any other claims is correct.

Screen Shot 2019-02-27 at 0.10.47

 

when using nonce parameter

I’ll show you the way to prevent an attacker from Replay Attack by nonce parameter.

A-san accesses to SNS1 via Web Browser.

Screen Shot 2019-02-27 at 0.19.46

 

SNS1 redirects A-san to SNS2 Authorization Endpoint.At the same time, SNS1 generates number which is an arbitrary one that can be used just once,stores it in A-san’s session and redirect A-san to Authorization Endpoint whose URL’s query parameter includes nonce value.

Screen Shot 2019-02-27 at 0.21.10

 

SNS2 shows A-san Login Page.A-san logs in to SNS1.

Screen Shot 2019-02-27 at 0.31.46

 

SNS2 redirect A-san to Callback URL pre-configured with a query parameter of the Authorization Code.

Screen Shot 2019-02-27 at 0.32.42

 

SNS1 exchanges Authorization Code for ID Token by requesting Token Endpoint.

Screen Shot 2019-02-27 at 0.33.47

 

SNS1 issues ID Token to SNS2.ID Token includes nonce claim whose value is one generated when SNS1 redirected A-san to Authorization Endpoint.Then, SNS1 receives the ID Token only when tha nonce value including ID Token as nonce claim matches the value stored in A-san’s session.On the other hand, the attacker intercepts the traffic between SNS1 and SNS2 and gets ID Token.

Screen Shot 2019-02-27 at 0.35.19

 

SNS1 remove the nonce value in A-san’s session after validating the ID Token.

Screen Shot 2019-02-27 at 0.42.10

 

The attacker sends the ID Token obtained previously.SNS1 compares the nonce value in ID Token with one in A-san’s session.However, both values do not match, so SNS1 rejects the ID Token sent from the attacker.In this way, nonce parameter prevents an attacker from Replay Attack.

Screen Shot 2019-02-27 at 0.44.12

アバター画像
About 武井 宜行 251 Articles
Microsoft MVP for Azure🌟「最新の技術を楽しくわかりやすく」をモットーにブログtech-lab.sios.jp)で情報を発信🎤得意分野はAzureによるクラウドネイティブな開発(Javaなど)💻「世界一わかりみの深いクラウドネイティブ on Azure」の動画を配信中📹 https://t.co/OMaJYb3pRN
ご覧いただきありがとうございます! この投稿はお役に立ちましたか?

役に立った 役に立たなかった

1人がこの投稿は役に立ったと言っています。


ご覧いただきありがとうございます。
ブログの最新情報はSNSでも発信しております。
ぜひTwitterのフォロー&Facebookページにいいねをお願い致します!



>> 雑誌等の執筆依頼を受付しております。
   ご希望の方はお気軽にお問い合わせください!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


質問はこちら 閉じる