Open
Description
Hi!
I have noticed that the nonce used in the OIDC authentication flow is a short static string. This poses a security issue as these state nonces are intended to protect against CSRF attacks.
My current solution is to use the URL and the current time to generate a hash.
h := sha256.New()
h.Write([]byte(fmt.Sprintf("%d", time.Now().UnixMilli())))
state := hex.EncodeToString(h.Sum([]byte(secretUrl)))I do know that it isn't a great solution as the URL is in the request and the time is a monotonically incrementing counter, so I'm open to suggestions on how to improve this solution. Any suggestions?
Metadata
Metadata
Assignees
Labels
No labels