Skip to content

[auth] Auto-generate nonce when caller does not provide one#279

Merged
partha-uber merged 1 commit into
mainfrom
sirker-nonce-autogen
Jun 26, 2026
Merged

[auth] Auto-generate nonce when caller does not provide one#279
partha-uber merged 1 commit into
mainfrom
sirker-nonce-autogen

Conversation

@partha-uber

@partha-uber partha-uber commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • SDK now always generates a cryptographically secure nonce (SecureRandom, 32 bytes, base64url) when AuthContext.nonce is null
  • effectiveNonce = authContext.nonce ?: generateSecureToken() ensures nonce is always present in SSO query params for replay-attack prevention
  • Callers that supply their own nonce (for backend binding) are unaffected — their value is used verbatim
  • @VisibleForTesting effectiveNonce field exposed for test assertions

This brings Android to parity with iOS PR #337 (OAuthParameters.swift auto-generates nonce).

Previously merged as #273 into a stacked base branch that was already merged to main — this re-lands the change directly on main.

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Test Plan

  • All existing tests updated for the new nonce-always-present behaviour (size assertions +1)
  • 5 new unit tests: auto-gen, caller-supplied verbatim, stability, PKCE flow, distinct per instance
  • ./gradlew :authentication:test passes

Revert Plan

Revert this commit. Nonce will become optional again (only sent when caller supplies it).

@partha-uber @claude
[auth] Auto-generate nonce when caller does not provide one
8e347ae 
- Add effectiveNonce = authContext.nonce ?: generateSecureToken() so a
  cryptographically-secure nonce is always sent on /authorize, even if
  the caller omits one (matches iOS PR #337 behaviour)
- Nonce param is now unconditional in getQueryParams (was optional)
- Update size assertions in existing tests (+1 for the always-present nonce)
- Add 5 new tests covering auto-gen, caller-supplied, stability, PKCE, and
  instance uniqueness

Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber partha-uber mentioned this pull request Jun 26, 2026
Merged
@partha-uber partha-uber merged commit 28b2a50 into main Jun 26, 2026
13 checks passed
partha-uber added a commit that referenced this pull request Jun 26, 2026
@partha-uber @claude
Remove null guard: nonce validation always runs (effectiveNonce alway…
2953c44 
…s set)

Auto-nonce (#279) guarantees effectiveNonce is never null, so the
'if (sentNonce != null)' guard is no longer needed. Validation is now
unconditional — any PKCE response without an id_token nonce claim that
matches effectiveNonce is rejected.

Update existing PKCE tests to provide a matching id_token and add two
new tests covering the always-validated path.

Co-Authored-By: Claude <noreply@anthropic.com>
partha-uber added a commit that referenced this pull request Jun 26, 2026
@partha-uber @claude
Remove null guard: nonce validation always runs (effectiveNonce alway…
1aecbd3 
…s set)

Auto-nonce (#279) guarantees effectiveNonce is never null, so the
'if (sentNonce != null)' guard is no longer needed. Validation is now
unconditional — any PKCE response without an id_token nonce claim that
matches effectiveNonce is rejected.

Update existing PKCE tests to provide a matching id_token and add two
new tests covering the always-validated path.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lalwani lalwani lalwani approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@partha-uber @lalwani