From bacab1c93924c53b81e5a9e253aba13edc7e8781 Mon Sep 17 00:00:00 2001
From: pfzetto <info@pfzetto.de>
Date: Thu, 6 Nov 2025 18:44:10 +0100
Subject: [PATCH] fix: #34 optional nonce in ID token refresh

Only verify nonce in token request response if one was given.
---
 src/middleware.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/middleware.rs b/src/middleware.rs
index 5eb14e6..0eddfa4 100644
--- a/src/middleware.rs
+++ b/src/middleware.rs
@@ -14,7 +14,7 @@ use tower_sessions::Session;
 use openidconnect::{
     core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim, CoreJsonWebKey},
     AccessToken, AccessTokenHash, AuthenticationContextClass, CsrfToken, IdTokenClaims,
-    IdTokenVerifier, Nonce, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
+    IdTokenVerifier, Nonce, NonceVerifier, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
     RequestTokenError::ServerResponse,
     Scope, TokenResponse,
 };
@@ -367,7 +367,12 @@ async fn try_refresh_token<AC: AdditionalClaims>(
                 .id_token()
                 .ok_or(MiddlewareError::IdTokenMissing)?;
             let id_token_verifier = client.client.id_token_verifier();
-            let claims = id_token.claims(&id_token_verifier, nonce)?;
+            let claims = id_token.claims(&id_token_verifier, |claims_nonce: Option<&Nonce>| {
+                match claims_nonce {
+                    Some(_) => nonce.verify(claims_nonce),
+                    None => Ok(()),
+                }
+            })?;
 
             validate_access_token_hash(
                 id_token,