- changed title to Standard - Nonce implementation suggestion is worded too strongly
Standard - Nonce implementation suggestion is worded too strongly
Issue #562
resolved
In section 2.3.1 of Standard, the following text is in the description of the nonce parameter:
{{{ One method is to store a random value as a signed session cookie, and pass the value in the nonce parameter. The nonce in the returned ID Token is compared to the signed session cookie to detect ID Token replay by third parties. }}}
While not normative as written, this is implementation advice and has no business inside of definition paragraphs. This placement has led some developers to treat this as the most highly recommended way to implement tracking the nonce at the client side. As there are many different ways to accomplish this (such as storing it in a bound session object, persisting it to a store that's dereferenced in the callback, etc.), I suggest that this text be taken out of the definition. It could then be either added to a separate, more non-normative paragraph describing several methods to track the nonce, if desired. Alternatively, it could be removed completely without negatively affecting the strength of the text.
Comments (4)
-
repo owner
-
repo owner
- marked as enhancement
-
-
assigned issue to
John Bradley
- changed status to open
Agreed. We will move this suggestion out of the definition and into a separate paragraph.
-
assigned issue to
-
- changed status to resolved
Fixes
#562removed example text for generating a nonce - Log in to comment
