chore: remove an unused nonce from OAuth flow (#1649)

woodruffw · jku · web-flow · commit a2eb492fd0b1 · 2026-01-09T10:22:24.000-05:00
Co-authored-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/sigstore/_internal/oidc/oauth.py b/sigstore/_internal/oidc/oauth.py
@@ -130,7 +130,7 @@ def __exit__(
 
 
 class _OAuthRedirectHandler(http.server.BaseHTTPRequestHandler):
-    def log_message(self, _format: str, *_args: Any) -> None:
+    def log_message(self, format: str, *_args: Any) -> None:
         pass
 
     def do_GET(self) -> None:
@@ -177,7 +177,6 @@ def __init__(self, client_id: str, client_secret: str, issuer: Issuer):
         self._client_secret = client_secret
         self._issuer = issuer
         self._state = str(uuid.uuid4())
-        self._nonce = str(uuid.uuid4())
 
         self.code_verifier = B64Str(
             base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=").decode()
@@ -197,7 +196,7 @@ def auth_endpoint(self, redirect_uri: str) -> str:
         # Defensive programming: we don't have a nice way to limit the
         # lifetime of the OAuth session here, so we use the internal
         # "poison" flag to check if we're attempting to reuse it in a way
-        # that would compromise the flow's security (i.e. nonce reuse).
+        # that would compromise the flow's security (i.e. state reuse).
         if self.__poison:
             raise IdentityError("internal error: OAuth endpoint misuse")
         else:
@@ -216,7 +215,6 @@ def _auth_params(self, redirect_uri: str) -> dict[str, Any]:
             "code_challenge": self.code_challenge,
             "code_challenge_method": "S256",
             "state": self._state,
-            "nonce": self._nonce,
         }
 
 
diff --git a/sigstore/_internal/sct.py b/sigstore/_internal/sct.py
@@ -211,7 +211,7 @@ def verify_sct(
                 f"SCT verify: Invalid issuer pubkey basicConstraint (not a CA): {issuer_pubkey}"
             )
 
-        if not isinstance(issuer_pubkey, (rsa.RSAPublicKey, ec.EllipticCurvePublicKey)):
+        if not isinstance(issuer_pubkey, rsa.RSAPublicKey | ec.EllipticCurvePublicKey):
             raise VerificationError(
                 f"SCT verify: invalid issuer pubkey format (not ECDSA or RSA): {issuer_pubkey}"
             )
diff --git a/sigstore/models.py b/sigstore/models.py
@@ -128,7 +128,7 @@ def _from_v1_response(cls, dict_: dict[str, Any]) -> TransparencyLogEntry:
         body_entry: ProposedEntry = TypeAdapter(ProposedEntry).validate_json(
             base64.b64decode(entry["body"])
         )
-        if not isinstance(body_entry, (Hashedrekord, Dsse)):
+        if not isinstance(body_entry, Hashedrekord | Dsse):
             raise InvalidBundle("log entry is not of expected type")
 
         raw_inclusion_proof = entry["verification"]["inclusionProof"]

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ def verify_sct(`
`211`	`211`	`f"SCT verify: Invalid issuer pubkey basicConstraint (not a CA): {issuer_pubkey}"`
`212`	`212`	`)`
`213`	`213`
`214`		`- if not isinstance(issuer_pubkey, (rsa.RSAPublicKey, ec.EllipticCurvePublicKey)):`
	`214`	`+ if not isinstance(issuer_pubkey, rsa.RSAPublicKey \| ec.EllipticCurvePublicKey):`
`215`	`215`	`raise VerificationError(`
`216`	`216`	`f"SCT verify: invalid issuer pubkey format (not ECDSA or RSA): {issuer_pubkey}"`
`217`	`217`	`)`
Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,7 @@ def _from_v1_response(cls, dict_: dict[str, Any]) -> TransparencyLogEntry:`
`128`	`128`	`body_entry: ProposedEntry = TypeAdapter(ProposedEntry).validate_json(`
`129`	`129`	`base64.b64decode(entry["body"])`
`130`	`130`	`)`
`131`		`- if not isinstance(body_entry, (Hashedrekord, Dsse)):`
	`131`	`+ if not isinstance(body_entry, Hashedrekord \| Dsse):`
`132`	`132`	`raise InvalidBundle("log entry is not of expected type")`
`133`	`133`
`134`	`134`	`raw_inclusion_proof = entry["verification"]["inclusionProof"]`