Include the option to include an authorisation request nonce in the OIDC Source configuration

[brendanarnold]

I am trying to federate login to an upstream OIDC OP (GovUK One Login) that requires a nonce in the /authorize call but there is no nonce included in the call nor is there an option to include one.

I'd like an option in the advanced Source setting to be able to include a random nonce string on requests. Ideally it would be checked on return.

I've tried configuring the OIDC Source every which way - I've also checked the source code and it just doesn't have an option to include.

This makes integration with GovUK One Login impossible out of the box.

[brendanarnold]

Implementation could be adapted from this PR which adds the option to add PKCE to the Source auth request - it touches similar files and establishes the patterns for the change.

Main difference is that I think nonce's are checked on return for integrity and that the UI/data is a boolean rather than a text field

[BeryJu]

Refreshing my memory on when and when not the nonce param is used, it needs to be validated against the value in the id_token. However we'd only get an id_token if the response_type were to include id_token or we were using a hybrid/implicit flow which isn't the case. As a result we shouldn't be getting an ID token from the remote system and a nonce shouldn't be a requirement as we wouldn't be able to compare it to anything.

[mrwilson]

Hi, thanks for considering this issue raised by @brendanarnold.

I work on GOV.UK One Login (OL) so I can give a bit more context around this request!

OL provides the OpenID Connect authorisation code flow only; the ID token provided by One Login is returned by the /token endpoint rather than as part of the authorisation redirect.

Using a nonce parameter is optional according to the OIDC specification but the OAuth2 security best practice guide, which we try to follow, recommends that either nonce or PKCE is mandatory for authorisation code flow to prevent a specific class of injection attacks.

OL supports both nonce and PKCE for relying party (RP) connections and we’ve successfully integrated with other providers such as Keycloak which support at least one of these capabilities.

We noticed that you’re in the process of building out PKCE support for OAuth connections in another PR; this would meet our connection requirements for Brendan’s service.

[BeryJu]

@mrwilson @brendanarnold We've just released the release candidate for authentik 2025.10, which includes the option to enable PKCE on OAuth sources. You can set AUTHENTIK_TAG=2025.10.0-rc3 in the .env file to update to the RC

[brendanarnold]

Thanks @BeryJu we are currently doing some testing on this, will report back