Merge pull request #5533 from zyhfish/task/fix-5532

Fix #5532: add require nonce setting.
2025-08-27 13:55:20 -04:00
parent 8684e03af1 f451cfce09
commit 66c4737021
3 changed files with 22 additions and 0 deletions
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@ -413,6 +413,18 @@ else
                                    </select>
                                </div>
                            </div>
+                            @if (_providertype == AuthenticationProviderTypes.OpenIDConnect)
+                            {
+                                <div class="row mb-1 align-items-center">
+                                    <Label Class="col-sm-3" For="requirenonce" HelpText="Specify the RequireNonce property for OpenID Connect Authentication." ResourceKey="RequireNonce">Require Nonce?</Label>
+                                    <div class="col-sm-9">
+                                        <select id="requirenonce" class="form-select" @bind="@_requirenonce" required>
+                                            <option value="true">@SharedLocalizer["Yes"]</option>
+                                            <option value="false">@SharedLocalizer["No"]</option>
+                                        </select>
+                                    </div>
+                                </div>
+                            }
                            <div class="row mb-1 align-items-center">
                                <Label Class="col-sm-3" For="domainfilter" HelpText="Provide any email domain filter criteria (separated by commas). Domains to exclude should be prefixed with an exclamation point (!). For example 'microsoft.com,!hotmail.com' would include microsoft.com email addresses but not hotmail.com email addresses." ResourceKey="DomainFilter">Domain Filter:</Label>
                                <div class="col-sm-9">
@ -557,6 +569,7 @@ else
    private string _synchronizeroles;
    private string _profileclaimtypes;
    private string _savetokens;
+    private string _requirenonce;
    private string _domainfilter;
    private string _createusers;
    private string _verifyusers;
@ -643,6 +656,7 @@ else
        _synchronizeroles = SettingService.GetSetting(settings, "ExternalLogin:SynchronizeRoles", "false");
        _profileclaimtypes = SettingService.GetSetting(settings, "ExternalLogin:ProfileClaimTypes", "");
        _savetokens = SettingService.GetSetting(settings, "ExternalLogin:SaveTokens", "false");
+        _requirenonce = SettingService.GetSetting(settings, "ExternalLogin:RequireNonce", "true");
        _domainfilter = SettingService.GetSetting(settings, "ExternalLogin:DomainFilter", "");
        _createusers = SettingService.GetSetting(settings, "ExternalLogin:CreateUsers", "true");
        _verifyusers = SettingService.GetSetting(settings, "ExternalLogin:VerifyUsers", "true");
@ -762,6 +776,7 @@ else
                settings = SettingService.SetSetting(settings, "ExternalLogin:SynchronizeRoles", _synchronizeroles, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:ProfileClaimTypes", _profileclaimtypes, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:SaveTokens", _savetokens, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:RequireNonce", _requirenonce, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:DomainFilter", _domainfilter, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true);
--- a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
+++ b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
@ -513,6 +513,12 @@
  <data name="OIDC" xml:space="preserve">
    <value>OpenID Connect (OIDC)</value>
  </data>
+  <data name="RequireNonce.Text" xml:space="preserve">
+    <value>Require Nonce?</value>
+  </data>
+  <data name="RequireNonce.HelpText" xml:space="preserve">
+    <value>Specify the RequireNonce property for OpenID Connect Authentication.</value>
+  </data>
  <data name="SaveTokens.Text" xml:space="preserve">
    <value>Save Tokens?</value>
  </data>
--- a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
+++ b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
@ -63,6 +63,7 @@ namespace Oqtane.Extensions
                    options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // default is authorization code flow
                    options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
                    options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false"));
+                    options.ProtocolValidator.RequireNonce = bool.Parse(sitesettings.GetValue("ExternalLogin:RequireNonce", "true"));
                    if (!string.IsNullOrEmpty(sitesettings.GetValue("ExternalLogin:RoleClaimType", "")))
                    {
                        options.TokenValidationParameters.RoleClaimType = sitesettings.GetValue("ExternalLogin:RoleClaimType", "");