IDT based authentication is successful on using reused challenge.

Description

  1. Get the id token

  2. start idt transaction id on hitting oauth details endpoint

  3. hit /v1/esignet/authorization/v3/authenticate endpoint with correct and valid request body and note down the challenge used.

  4. now, start a new transaction and get id token

  5. repeat step 2 , now reuse the challenge used in step 3 in /v1/esignet/authorization/v3/authenticate

Observed: IDT based authentication is successful

Expected Output: should get auth_failed error as resued challenge is used for authentication.

request body:

response:

Environment

es-qa

Attachments

3

Activity

Show:

Anushree N February 6, 2025 at 4:14 PM

Verified in es-qa.mosip.net,

  1. Able to get error message “invalid_individual_id“ when sub value in challenge is different with that of individualId in the request body

     

  2. Able to get error message “auth_failed“ when reused old /previous challenge along with old individualId.

  1. Able to get error message “invalid_request“ when reusing the same nonce in multiple oauth-details requests.

Working as expected, Hence closing the bug.

Humair Kankudti Md January 17, 2025 at 1:27 PM

Dev tested in dev1:

Add individualId same as sub from hardcoded challenge in the above case it is "2YYF_ZdAH2zRm6g2UmeAHXjfZZicpWOxZHYrrkA1QYM". If you dont change the individualId in request the response will be invalid individual id.

Response:

Humair Kankudti Md December 20, 2024 at 5:04 AM

The above mentioned changes are done, need to confirm from regarding the same.

Anusha sunkada December 15, 2024 at 6:54 PM
Edited

Create the ID token with server-nonce. On the authenticate call, check if the ID token's nonce matches the nonce in the current OIDC transaction and also if it matches the server nonce in the halted transaction.

Currently, the same is verified with a cookie, which should be applied between the transaction and the ID token.

Also, we should not permit multiple OIDC transactions with the same nonce.

Unresolved

Details

Assignee

Reporter

Resolved by

Severity

Critical

Rootcause

Coding issue

Sprint

Fix versions

Priority

Release Number

Created December 4, 2024 at 8:24 AM
Updated February 11, 2025 at 8:37 AM