I understand that a nonce is used to prevent replay attacks. I have been going through documentations, specs, posts and blog posts and I am a little confused.
Consider the following attack scenario.
- Mary wants to login to https://photos.com via Google.
- https://photos.com redirects Mary to Google setting a random nonce in the request and also storing this value in web storage. Mary logs in successfully.
- Mary is redirected back to https://photos.com with the
authorization_codeand anid_tokenwith the nonce set as a claim. - https://photos.com validates the nonce in the id_token against the one stored in web storage.
- If both match, she is let in.
Now, the whole idea of nonce as far as I understand is to prevent replay attacks. How is the nonce even stopping it here? If an attacker intercepts the response from the authorization server, what is stopping him from decoding the id_token, reading the nonce and setting this value in web storage and passing off the response as a valid one?
Attacker -> intercept response -> decode token -> fetch nonce value -> set it as a value in web storage -> forward the response from the authorization server to the client.
Taken from Auth0's documentation: https://auth0.com/docs/get-started/authentication-and-authorization-flow/mitigate-replay-attacks-when-using-the-implicit-flow
The only post I have seen so far that makes sense to me is this one. Openid connect nonce replay attack
He also has a Medium article describing this.
The gist of this is to generate a random String and set its hash as the nonce. When you get back the response from the authorization server, generate the hash of the random String and compare it to the nonce from the response.
Is this the right way to do it or should one follow the Auth0 documentation?
People who have implemented this, please share your thoughts and how you have implemented this.
