From d82e17422c5c497a3484ec0ef695e4a4327b869f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=91cze=20Bence?= <bence@pocze.ch>
Date: Wed, 20 Aug 2025 01:17:37 +0200
Subject: [PATCH] make nonce optional

---
 .../migrations/structure/20250820_0113_oauth_nonce_null.sql | 2 ++
 src/Controller/OAuthController.php                          | 4 +++-
 src/Controller/OAuthSessionController.php                   | 2 +-
 src/PersistentData/Model/OAuthSession.php                   | 6 +++---
 4 files changed, 9 insertions(+), 5 deletions(-)
 create mode 100644 database/migrations/structure/20250820_0113_oauth_nonce_null.sql

diff --git a/database/migrations/structure/20250820_0113_oauth_nonce_null.sql b/database/migrations/structure/20250820_0113_oauth_nonce_null.sql
new file mode 100644
index 0000000..d2d74c8
--- /dev/null
+++ b/database/migrations/structure/20250820_0113_oauth_nonce_null.sql
@@ -0,0 +1,2 @@
+ALTER TABLE `oauth_sessions`
+MODIFY `nonce` varchar(255) CHARACTER SET ascii COLLATE ascii_bin DEFAULT NULL;
diff --git a/src/Controller/OAuthController.php b/src/Controller/OAuthController.php
index 66aaa4b..616c582 100644
--- a/src/Controller/OAuthController.php
+++ b/src/Controller/OAuthController.php
@@ -109,8 +109,10 @@ class OAuthController
             'nbf' => $session->getCreatedDate()->getTimestamp(),
             'exp' => $token->getExpiresDate()->getTimestamp(),
             'aud' => $session->getClientId(),
-            'nonce' => $session->getNonce()
         ];
+        if ($session->getNonce() !== null) {
+            $commonPayload['none'] = $session->getNonce();
+        }
         $idTokenPayload = array_merge($commonPayload, $this->getUserInfoInternal(
             $this->userRepository->getById($session->getUserId()),
             $session->getScopeArray())
diff --git a/src/Controller/OAuthSessionController.php b/src/Controller/OAuthSessionController.php
index 6644ca5..5452481 100644
--- a/src/Controller/OAuthSessionController.php
+++ b/src/Controller/OAuthSessionController.php
@@ -29,7 +29,7 @@ class OAuthSessionController implements IAuthenticationRequired
         $clientId = \Container::$request->query('client_id');
         $scope = \Container::$request->query('scope') ? \Container::$request->query('scope'): '';
         $state = \Container::$request->query('state');
-        $nonce = \Container::$request->query('nonce') ? \Container::$request->query('nonce'): '';
+        $nonce = \Container::$request->query('nonce') ? \Container::$request->query('nonce'): null;
         $codeChallenge = \Container::$request->query('code_challenge') ?: null;
         $codeChallengeMethod = \Container::$request->query('code_challenge_method') ?: null;
 
diff --git a/src/PersistentData/Model/OAuthSession.php b/src/PersistentData/Model/OAuthSession.php
index d0f1579..cb442a8 100644
--- a/src/PersistentData/Model/OAuthSession.php
+++ b/src/PersistentData/Model/OAuthSession.php
@@ -19,7 +19,7 @@ class OAuthSession extends Model
 
     private array $scope = [];
 
-    private string $nonce = '';
+    private ?string $nonce = '';
 
     private ?string $codeChallenge = null;
 
@@ -52,7 +52,7 @@ class OAuthSession extends Model
         $this->setScopeArray(explode(' ', $scope));
     }
 
-    public function setNonce(string $nonce): void
+    public function setNonce(?string $nonce): void
     {
         $this->nonce = $nonce;
     }
@@ -125,7 +125,7 @@ class OAuthSession extends Model
         return $this->scope;
     }
 
-    public function getNonce(): string
+    public function getNonce(): ?string
     {
         return $this->nonce;
     }