#434 Remove the nonce cache.

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -16,7 +16,6 @@ using System.Threading.Tasks;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Http.Authentication;
 using Microsoft.AspNet.Http.Features.Authentication;
-using Microsoft.Framework.Caching.Distributed;
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
@@ -203,23 +202,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
             if (Options.ProtocolValidator.RequireNonce)
             {
                 message.Nonce = Options.ProtocolValidator.GenerateNonce();
-                if (Options.CacheNonces)
-                {
-                    if (await Options.NonceCache.GetAsync(message.Nonce) != null)
-                    {
-                        Logger.LogError(Resources.OIDCH_0033_NonceAlreadyExists, message.Nonce);
-                        throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0033_NonceAlreadyExists, message.Nonce));
-                    }
-
-                    await Options.NonceCache.SetAsync(message.Nonce, new byte[0], new DistributedCacheEntryOptions
-                    {
-                        AbsoluteExpirationRelativeToNow = Options.ProtocolValidator.NonceLifetime
-                    });
-                }
-                else
-                {
-                    WriteNonceCookie(message.Nonce);
-                }
+                WriteNonceCookie(message.Nonce);
             }
 
             GenerateCorrelationId(properties);
@@ -1021,23 +1004,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
             string nonce = jwt?.Payload.Nonce;
             if (!string.IsNullOrEmpty(nonce))
             {
-                if (Options.CacheNonces)
-                {
-                    if (await Options.NonceCache.GetAsync(nonce) != null)
-                    {
-                        await Options.NonceCache.RemoveAsync(nonce);
-                    }
-                    else
-                    {
-                        // If the nonce cannot be removed, it was
-                        // already used and MUST be rejected.
-                        nonce = null;
-                    }
-                }
-                else
-                {
-                    nonce = ReadNonceCookie(nonce);
-                }
+                nonce = ReadNonceCookie(nonce);
             }
 
             var protocolValidationContext = new OpenIdConnectProtocolValidationContext

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs

@@ -8,8 +8,6 @@ using System.Text;
 using Microsoft.AspNet.Builder;
 using Microsoft.AspNet.DataProtection;
 using Microsoft.AspNet.Http;
-using Microsoft.Framework.Caching.Distributed;
-using Microsoft.Framework.DependencyInjection;
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
@@ -129,13 +127,6 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
                     Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(), Backchannel);
                 }
             }
-
-            if (Options.CacheNonces && Options.NonceCache == null)
-            {
-                // Use the global distributed cache if the user has not provided his own instance.
-                // Note: GetRequiredService will throw an exception if caching services have not been registered.
-                Options.NonceCache = services.GetRequiredService<IDistributedCache>();
-            }
         }
 
         protected HttpClient Backchannel { get; private set; }

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs

@@ -9,7 +9,6 @@ using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Http.Authentication;
-using Microsoft.Framework.Caching.Distributed;
 using Microsoft.Framework.WebEncoders;
 using Microsoft.IdentityModel.Protocols;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
@@ -133,19 +132,6 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
         /// </summary>
         public string MetadataAddress { get; set; }
 
-        /// <summary>
-        /// The OpenIdConnect protocol http://openid.net/specs/openid-connect-core-1_0.html
-        /// recommends adding a nonce to a request as a mitigation against replay attacks when requesting id_tokens.
-        /// By default the runtime uses cookies with unique names generated from a hash of the nonce.
-        /// </summary>
-        public IDistributedCache NonceCache { get; set; }
-
-        /// <summary>
-        /// Gets or sets the value indicating whether nonces should be stored in the distributed cache or not.
-        /// The default value, <c>false</c>, is used to store nonces in client cookies.
-        /// </summary>
-        public bool CacheNonces { get; set; }
-
         /// <summary>
         /// Gets or sets the <see cref="IOpenIdConnectEvents"/> to notify when processing OpenIdConnect messages.
         /// </summary>

src/Microsoft.AspNet.Authentication.OpenIdConnect/project.json

@@ -7,7 +7,6 @@
     },
     "dependencies": {
         "Microsoft.AspNet.Authentication": "1.0.0-*",
-        "Microsoft.Framework.Caching.Abstractions": "1.0.0-*",
         "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.IdentityModel.Protocols.OpenIdConnect": "2.0.0-beta7-*"
     },