okta-hosted-login: nonce is a global but used for multiple sessions

[jimsnab]

The code declares nonce as a global, but assigns this global in the login handler (per user) and reads it in verifyToken. This doesn't work if two separate users are logging in at the same time.

[monde]

Thanks @jimsnab . We're in the process of updating our samples. I correct the nonce usage when I'm done with the other updates.

[jimsnab]

@monde excellent. As of now I don't see how nonce prevents man-in-the-middle replay, because the server that initiates authentication doesn't seem to have a solid way of keeping track of which client is associated with the auth code callback.

What I've done is save the generated nonce on the server for up to 1 minute, and upon receiving the auth code, try each saved nonce when validating the jwt. At least this way the attack window is only 1 minute, and the server-generated nonce can be destroyed after the first successful jwt validation.

My approach is janky, and I'm looking forward to okta guidance on the right way to handle nonce.

[askreet]

@monde Any updates here. I'm using this code as a basis and I've immediately noticed the same, both the state and the nonce are stored in globals and assume a single session on a single process. For any service deployed in a highly available fashion, this will fail.

[monde]

@askreet we're not currently putting any development cycles into okta/samples-golang . Please open a https://support.okta.com/ ticket to get immediate help from a support engineer.

cc: @jefftaylor-okta

[zymsys]

I just submitted the above PR to address this issue. I realize it isn't likely to be merged, but maybe it will help others facing the same problem.