openid / connect / issues / #615 - "nonce" still exists in Basic — Bitbucket

Issue #615 resolved

Nov Matake created an issue 2012-07-04

Basic section 2.3 & 2.4 still mentions about "nonce". Is this OK? or they are forgotten to be removed when fixing ~~#569~~ ?

Comments (3)

Nat Sakimura
- assigned issue to
  
  John Bradley
- changed status to open
It is informative. It may remain.
- 2012-07-05T14:35:04+00:00

Nov Matake reporter

Yeah, but Basic spec uses "nonce" only in 2 sentences below.

2.3. ID Token

The ID Token is used to manage the authentication event and user identifier and is scoped to a particular Client via the aud (audience) and nonce Claims.

2.4. ID Token Verification

The iat Claim may be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces must be stored to prevent attacks. The acceptable range is Client specific.

If "nonce" exists in Basic spec as informative, I might want its short definition in 2.2.1 too.

Proposed text below. (just copied from Standard spec, removed text about token flow case)

2.3.1. Client Prepares an Authorization Request

nonce: A string value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authorization Request to the ID Token. Use of the nonce is OPTIONAL when using the code flow.

2012-07-05T14:51:10+00:00

John Bradley
- changed status to resolved
Fixes ~~#615~~ added informative definition of nonce in 2.2.1

→ 67b3f836d46d
- 2012-09-23T23:31:53+00:00
Log in to comment

Assignee: John Bradley

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira Software: the preferred issue tracker for Bitbucket. Join the team!