Validate should ignore the ticket nonce when called with empty nonce

sso.go

@@ -11,18 +11,43 @@ import (
 )
 
 var (
-	// Errors.
-	ErrMissingRequiredField     = errors.New("missing required field")
-	ErrBadNonceLength           = errors.New("bad nonce length")
-	ErrDeserialization          = errors.New("deserialization error")
+	// ErrMissingRequiredField is returned when a ticket does not
+	// contain a required field.
+	ErrMissingRequiredField = errors.New("missing required field")
+
+	// ErrDeserialization means that the input is not valid base64.
+	ErrDeserialization = errors.New("deserialization error")
+
+	// ErrUnsupportedTicketVersion is returned for unsupported
+	// ticket versions (either too old or too recent).
 	ErrUnsupportedTicketVersion = errors.New("unsupported ticket version")
-	ErrMessageTooShort          = errors.New("encoded message too short")
-	ErrBadSignature             = errors.New("bad signature")
-	ErrBadService               = errors.New("service mismatch")
-	ErrBadDomain                = errors.New("auth domain mismatch")
-	ErrBadNonce                 = errors.New("nonce mismatch")
-	ErrExpired                  = errors.New("ticket expired")
-	ErrUnauthorized             = errors.New("unauthorized")
+
+	// ErrMessageTooShort means that the input is shorter than the
+	// fixed signature length + minimum ticket size.
+	ErrMessageTooShort = errors.New("encoded message too short")
+
+	// ErrBadSignature is returned when the signature does not
+	// match the given public key.
+	ErrBadSignature = errors.New("bad signature")
+
+	// ErrBadService is returned when validation fails due to a
+	// SSO service mismatch.
+	ErrBadService = errors.New("service mismatch")
+
+	// ErrBadDomain is returned when validation fails due to a SSO
+	// domain mismatch.
+	ErrBadDomain = errors.New("auth domain mismatch")
+
+	// ErrBadNonce is returned when validation fails due to a
+	// nonce mismatch.
+	ErrBadNonce = errors.New("nonce mismatch")
+
+	// ErrExpired means the ticket has expired.
+	ErrExpired = errors.New("ticket expired")
+
+	// ErrUnauthorized is returned when the user lacks the
+	// necessary group membership.
+	ErrUnauthorized = errors.New("unauthorized")
 )
 
 const (
@@ -234,7 +259,7 @@ func (v *ssoValidator) Validate(encoded, nonce, service string, allowedGroups []
 	if t.Expires.Before(time.Now()) {
 		return nil, ErrExpired
 	}
-	if t.Nonce != nonce {
+	if nonce != "" && t.Nonce != nonce {
 		return nil, ErrBadNonce
 	}