Adding "nonce" value to token response of spring authorization server

Question

I am trying to implement authorization server with spring security 5.1. But I have a problem.

I have implemented a custome token enhancer to add id_token in token response to match OIDC scope and it is working fine.

But the problem started when the service provider sent nonce parameter as part of authorization request and expecting it to be present in the id_token sent by authorization server. So my question is:

How to access the parameters sent in authorize request in "token_enhancer"?

What I have tried?

I have added a login success-handler and can get the saved authorize request. But I need the same when creating the token.

Any idea how to do that?

Thanks.

score 1 · Accepted Answer · answered Nov 29 '19 at 17:09

As you said that you are using a CustomTokenEnhancer, the good news is, that you can get the stored request. Next you know what to do ;)

@Override
    public OAuth2AccessToken enhance(
      OAuth2AccessToken accessToken, 
      OAuth2Authentication authentication) {
        log.debug("Getting nonce param from stored request " + authentication.getOAuth2Request().getRequestParameters().get("nonce"));;
        return  accessToken;
    }

Adding "nonce" value to token response of spring authorization server

1 Answers1