[Code Flow, Ory Hydra 2.3.0] "nonce" is omitted in ID Token when passed as request parameter (not inside signed JWT Request Object) #4069
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Details:
- ORY Hydra 2.3.0
- OIDC Authorization Code Flow
- Signed request JWT (RS256)
- Following the https://openid.net/specs/openid-connect-core-1_0.html specification
- Ory Hydra specification: https://www.ory.com/docs/polis/sso-flow#openid-connect-flow
Issue
When using a signed request parameter (Request Object) without nonce inside the JWT, but providing nonce as a regular query parameter:
&nonce=testNonce123
Hydra does not include nonce in the issued ID Token.
If nonce is included inside the signed JWT, the ID Token correctly contains it.
Sample Request (mocked):
https://auth.example.com/oauth2/auth
?request=<signed_jwt>
&response_type=code
&client_id=test-client
&scope=openid
&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback
&nonce=testNonce123
Expected Behavior
If nonce is provided as an authorization request parameter (even outside the Request Object), it should be included in the ID Token.
Reproducing the bug
Construct a request using the following example:
https://auth.example.com/oauth2/auth?request=<signed_jwt>&response_type=code&client_id=test-client&scope=openid&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback&nonce=testNonce123
If the nonce is absent from the JWT request, it won't be returned in the ID Token.
Relevant log output
Relevant configuration
Version
2.3.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response