diff --git a/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java b/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java index 23f4bbc4..dfc1138b 100644 --- a/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java +++ b/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java @@ -84,6 +84,7 @@ import java.net.Proxy; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; import java.util.HashMap; import java.util.LinkedList; import java.util.List; @@ -110,7 +111,7 @@ public class AzureSecurityRealm extends SecurityRealm { private static final String TIMESTAMP_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".beginTime"; private static final String NONCE_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".nonce"; private static final Logger LOGGER = Logger.getLogger(AzureSecurityRealm.class.getName()); - private static final int NONCE_LENGTH = 10; + private static final int NONCE_LENGTH = 16; public static final String CALLBACK_URL = "/securityRealm/finishLogin"; private static final String CONVERTER_NODE_CLIENT_ID = "clientid"; private static final String CONVERTER_NODE_CLIENT_SECRET = "clientsecret"; @@ -427,7 +428,12 @@ public HttpResponse doFinishLogin(StaplerRequest request) JwtClaims validateIdToken(String expectedNonce, String idToken) throws InvalidJwtException { JwtClaims claims = getJwtConsumer().processToClaims(idToken); final String responseNonce = (String) claims.getClaimValue("nonce"); - if (StringUtils.isAnyEmpty(expectedNonce, responseNonce) || !expectedNonce.equals(responseNonce)) { + if (StringUtils.isAnyEmpty(expectedNonce, responseNonce) || + !MessageDigest.isEqual( + expectedNonce.getBytes(StandardCharsets.UTF_8), + responseNonce.getBytes(StandardCharsets.UTF_8) + ) + ) { throw new IllegalStateException(String.format("Invalid nonce in the response, " + "expected: %s actual: %s", expectedNonce, responseNonce)); }