question

Chris Downs avatar image
Chris Downs asked

OpenIdConnect: Token nonce reuse is not permitted

I am testing the LoginWithOpenIdConnect call in the Client API with Postman and I run into the following error when making multiple calls with the same IdToken:

{
    "code": 403,
    "status": "Forbidden",
    "error": "NotAuthorized",
    "errorCode": 1089,
    "errorMessage": "Token nonce reuse is not permitted. Nonce values must be unique, and after use are invalid until the expiry of the OpenID Connect token or PlayFab token, whichever comes first."
}

Here is my (obfuscated) request:

POST /Client/LoginWithOpenIdConnect?sdk=PostmanCollection-0.76.190219 HTTP/1.1
Host: XXXX.playfabapi.com
X-PlayFabSDK: PostmanCollection-0.76.190219
Content-Type: application/json
cache-control: no-cache
Postman-Token: 94017929-b4d8-4272-9fc3-5e016b0acb36
{
  "TitleId": "XXXX",
  "ConnectionId": "XXX",
  "IdToken": "XXX",
  "CreateAccount": true
}

The above call with a fresh token works, but if I make a subsequent call with the same token I receive the error. Given that nothing in the documentation indicates that I have control over the nonce, it would seem that it is being reused in your backend instead of being generated per request. Let me know if that is not the case.

The X-RequestId of one of my failed requests is 1-5c775aa2-5021517c78e637e826a6936c if that helps.

Authentication
1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Chris Downs avatar image Chris Downs commented ·

Upon further investigation it looks like the nonce is actually baked into my IdToken. Is it safe to assume that this error occurs because you do not expect someone to attempt to log in with OpenId twice with the same token?

0 Likes 0 ·

2 Answers

·
Andy avatar image
Andy answered

That looks like it's by design. My expectation is that if you log into your identity provider again you'll get a new JWT with a new nonce that you can provide us. If that's not the case, please let us know.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Ather Rizvi avatar image
Ather Rizvi answered

Hi,

This doesnt seem to work when I refresh my token.

Request-Id: 1-5eec325c-1e9a6f5315736460dd9c0769

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.