malach-it / boruta_auth

79%

master: 86%

LAST BUILD ON BRANCH fix/optional-nonce-in-id-token

branch: fix/optional-nonce-in-id-token

CHANGE BRANCH

x

Reset

• fix/optional-nonce-in-id-token
• action-elixir-versions-matrix
• agent-credentials
• master
• multiple-key-selection
• openid-federation
• poc-hybrid-vp-token
• provider-policies-registration
• revert-22-pr-auth_error_msg
• signatures-adapter
• status-token-chains
• update-owl
• v2-3
• verify-public-client-id

Build # 7d392f0e79f4da405dae0d84eb9d6ecbc31942f4-PR-56

Build Type

Pull #56

github

Committed by metemaad

Commit Message

fix: only include nonce claim in id_token when provided in auth request

When no nonce is sent in the authorization request (nonce is nil or empty
string), the id_token should not include the nonce claim. Including an empty
nonce causes validation failures with some OIDC relying parties.

Per OIDC Core spec section 2, the nonce claim is optional and should only
be present if a nonce was sent in the authentication request.

This fixes issues with AWS ALB OIDC authentication, which does not send
a nonce parameter but validates the id_token and fails when an empty
nonce claim is present.

Changes:
- Modified maybe_put_nonce helper to skip nonce claim when nil or empty
- Added tests for nonce handling (nil, empty string, and valid nonce)

Pull Request Pull Request #56: fix: only include nonce claim in id_token when provided in auth request

Run Details

3 of 3 new or added lines in 1 file covered. (100.0%)

126 existing lines in 8 files now uncovered.

1504 of 1898 relevant lines covered (79.24%)

270.14 hits per line