groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-03-01 05:29:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

OIDC: Skip nonce for mobile flow to fix app login

Browse source 
Some IdPs (e.g. Authentik) don't echo the nonce in the id_token for
the authorization code flow, causing "nonce mismatch, got: undefined"
errors when the mobile app attempts SSO login. The mobile flow already
uses PKCE which provides equivalent replay protection, so nonce is not
needed. Web flow continues to use nonce for defense-in-depth.
This commit is contained in:
Denis Arnst 2026-02-13 12:31:31 +01:00
parent 67f8eb6815
commit a6848065e1
No known key found for this signature in database
GPG key ID: D5866C58940197BF
2 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

6
server/auth/OidcAuthStrategy.js
View file

@ -107,7 +107,6 @@ class OidcAuthStrategy {
this.openIdAuthSession.delete(state)
sessionData = {
state: state,
nonce: mobileSession.nonce,
sso_redirect_uri: mobileSession.sso_redirect_uri
}
isMobileCallback = true
@ -434,7 +433,9 @@ class OidcAuthStrategy {
}
// Generate nonce to bind id_token to this session (OIDC Core 3.1.2.1)
const nonce = OpenIDClient.generators.nonce()
// Nonce is only used for web flow. Mobile flow relies on PKCE for replay protection,
// and some IdPs don't echo the nonce in the id_token for authorization code flow.
const nonce = isMobileFlow ? undefined : OpenIDClient.generators.nonce()
if (isMobileFlow) {
// For mobile: store session data in the openIdAuthSession Map (keyed by state)
@ -442,7 +443,6 @@ class OidcAuthStrategy {
this.openIdAuthSession.set(state, {
mobile_redirect_uri: req.query.redirect_uri,
sso_redirect_uri: redirectUri,
nonce: nonce,
created_at: Date.now()
})
}