IDT based authentication is successful on using reused challenge.
Activity

Anushree N February 6, 2025 at 4:14 PM
Verified in es-qa.mosip.net,
Able to get error message “invalid_individual_id“ when sub value in challenge is different with that of
individualId
in the request bodyAble to get error message “auth_failed“ when reused old /previous challenge along with old
individualId
.
Able to get error message “
invalid_request
“ when reusing the same nonce in multiple oauth-details requests.
Working as expected, Hence closing the bug.

Humair Kankudti Md January 17, 2025 at 1:27 PM
Dev tested in dev1:
Add individualId
same as sub
from hardcoded challenge in the above case it is "2YYF_ZdAH2zRm6g2UmeAHXjfZZicpWOxZHYrrkA1QYM"
. If you dont change the individualId
in request the response will be invalid individual id.
Response:

Humair Kankudti Md December 20, 2024 at 5:04 AM
The above mentioned changes are done, need to confirm from regarding the same.

Anusha sunkada December 15, 2024 at 6:54 PMEdited
Create the ID token with server-nonce. On the authenticate call, check if the ID token's nonce matches the nonce in the current OIDC transaction and also if it matches the server nonce in the halted transaction.
Currently, the same is verified with a cookie, which should be applied between the transaction and the ID token.
Also, we should not permit multiple OIDC transactions with the same nonce.
Details
Details
Assignee

Reporter

Resolved by

Get the id token
start idt transaction id on hitting oauth details endpoint
hit /v1/esignet/authorization/v3/authenticate endpoint with correct and valid request body and note down the challenge used.
now, start a new transaction and get id token
repeat step 2 , now reuse the challenge used in step 3 in /v1/esignet/authorization/v3/authenticate
Observed: IDT based authentication is successful
Expected Output: should get auth_failed error as resued challenge is used for authentication.
request body:
response: