Apple OAuth flow should include nonce to prevent ID token replay #385
Description
Description
The Apple OAuth sign-in flow does not include a nonce parameter. While the server performs JWKS-based verification of the Apple ID token (validating signature, issuer, audience, and expiry), it does not bind the token to a specific authentication request via a nonce.
Apple recommends including a nonce -- generated per authentication request and bound to the session/state -- to prevent ID token replay attacks. Without a nonce, a valid ID token intercepted from one authentication flow could theoretically be replayed in another session.
Why it matters
- Security: Prevents ID token replay attacks, following Apple's recommended best practices for Sign in with Apple
- Defense in depth: The existing JWKS verification and short token expiry provide strong baseline security, but nonce binding adds another layer
Components affected
src/server/-- OAuth route handlers and token verification logic
Possible approach
- Generate a cryptographically random nonce during the authorization request
- Bind the nonce to the OAuth state parameter (which is already session-bound)
- Pass the nonce to Apple's authorization endpoint
- After receiving the ID token, verify that the
nonceclaim in the decoded JWT matches the expected value
Context
Identified during review of the server-side-auth branch (commits implementing server-side OAuth state binding and Apple provider handling).