nonce requirements in messages not present in basic
Issue #834
resolved
In the messages spec section 2.1.2.1, nonce is defined as OPTIONAL or REQUIRED, and it says that if the nonce is present in the idtoken, the client MUST check that the value of the nonce returned in the idtoken matches the value of the nonce sent in the authorization request.
In the basic profile however, nonce is not even listed as part of the idtoken in section 2.2, and there is no mention of the requirement to validate the nonce should it be returned in section 2.2.1, IDToken Validation.
Recommend that the nonce value be added to section 2.2 of the basic profile and that the validation requirement to check nonce be added to section 2.2.1 of the basic profile.
Comments (4)
-
-
reporter
I can live with not mentioning how to implement nonce, but not with leaving it out altogether from the documentation of the idtoken as if it didn't even exist.
In exactly the same way that acr and amr are defined in the basic profile idtoken definition but the exact ways to implement those claims have to be looked up elsewhere, nonce should be present in the basic profile idtoken definition.
-
Describe how to validate nonce if used.
-
- changed status to resolved
Fixed
#834- Described how to optionally use "nonce" values in the Basic specification.→ <<cset 14eb2c04e4e4>>
- Log in to comment
Nonce was originally in basic but was removed. The logic was that it is TMI.
The nonce allows the id_token to be bound to a particular browser session.
A number of people felt it was unnecessary, especially for response_type=code.
In a implicit flow the value of binding the id_token response to the browser session is clearer to people in that they can see that a id_token can be swapped.
In the code case people believe that swapping code is harder or leads to fewer issues due to the difficulty of steeling code.
In reality the redirect attacks on facebook show that code can be stolen by a malicious site if the AS is not properly validating the redirect URI and this leads to an attacker being able to impersonate a "good" client in the request and get back a code that can later be presented to the real RP. If I were the client I would use nonce to prevent attacks on AS with improper redirect checking.
However the compromise at the time was to remove the requirement for the client to send or validate the nonce in the basic profile and rely on the AS not screwing up.
I was the one that wanted to keep it so I am probably not the best one to argue the removing it side (Justin I think feels strongly about this).
All AS must pass it through so any client can use it, but at the moment it is not mentioned in the basic profile as it is considered a more advanced feature.