-
assigned issue to
Edmund Jay
Messages - 2.1.2 nonce definition differs from Standard and Basic
Issue #421
invalid
The definition for nonce in Messages is {{{ REQUIRED. A random, unique string value used to mitigate replay attacks. }}} In Standard & Basic, it's {{{ nonce A string value used to associate a browser session with a id_token, and to mitigate replay attacks. The value is passed through unmodified to the ID Token. One method is to store a random value as a signed session cookie, and pass the value in the nonce paramater. The nonce in the returned id_token is compared to the signed session cookie to detect id_token replay by third parties. }}}
Should Messages be updated to be in sync with the other specs?
Comments (5)
-
-
-
assigned issue to
Nat Sakimura
- changed status to open
I disagree.
Message is abstract. All the additional description in the Standard and Basic is about the specific Binding.
-
assigned issue to
-
In addition:
Edmund - You are looking at an old copy. There is no "browser" in the spec now. Compile new HTML from the source XML.
-
- changed status to invalid
-
reporter
The Standard spec still has the word browser in it.
- Log in to comment
Copy definition to messages