Nonce mismatch in OpenID Connect Enterprise Connections

mash · October 10, 2019, 3:20pm

I created a new OpenID Connect provider in the “Connections > Enterprise > OpenID Connect” menu.

When I try to login using my OpenID Connect provider to an application, browser redirects back to a URL like “http://localhost:3000/callback?error=invalid_request&error_description=nonce%20mismatch&state=BVT3U3oRv…”.

This happens because,
when Auth0 redirects to the authorization endpoint of my OpenID Connect provider,
it does NOT add a nonce!
The request parameters are (from Chrome developer tools)

client_id={valid-client-id}&scope=openid&response_type=code&redirect_uri=https%3A%2F%2F{tenant}.eu.auth0.com%2Flogin%2Fcallback&response_mode=query&state=XFQ...

So my OpenID Connect provider does NOT receive the nonce, and therefor cannot put it inside the id_token, but the RP (for my OpenID Connect provider) that Auth0 is hosting is checking the nonce?!

lily.wisecarver · November 19, 2019, 9:59pm

Hi @mash!

Thank you for reaching out to us and for your patience!

Are you sending a nonce in the authentication attempt? This document may be of some help: Implicit Flow with Form Post

Also, I would suggest adding nonce to your authentication string.

Please let me know if this helps.

mash · November 20, 2019, 1:39pm

Investigating … will get back when problem persists …

mash · November 22, 2019, 3:18pm

There was a problem in the custom OpenID Provider. Now it seems Auth0 provides more detailed error description and that helped to resolve the problem. Thanks!

system · December 7, 2019, 3:18pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.