Ambiguity with how nonce is handled on refresh
Issue #1025
resolved
Currently the OpenID Specification in section 12.2 documents how the ID Token processing differs when the ID Token is received during refresh.
'nonce' is not listed as one of the modified behaviors, thus the reader may think it falls under the catch all "otherwise, the same rules apply as apply when issuing an ID Token at the time of the original authentication."
However, most token endpoints only return the 'nonce' in the ID Token issued in response to the authorization_code grant type (which makes sense).
The definition of nonce in Section 2 clearly associates it with the Authorization Request but it may leave some ambiguity along the lines of "do the nonce rules apply to the refresh_token token response when the authorization request had a 'nonce'?". This is actually true for several of the other claims, so a reader may assume it to be also true for nonce.
We should explicitly document in section 12.2 that 'nonce' is not expected to be present in ID Tokens returned for the refresh_token grant type.
Comments (7)
-
reporter
-
I'd propose that the MAY in the proposed text be a SHOULD as I think that not including the nonce on refresh is the more correct and more likely behavior.
-
Using nonce was already optional for the code flow. Per the call discussion on 26-Apr-18, using the nonce in a refresh token context doesn't particularly add value. We will make this clarification as part of the errata actions.
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
- changed status to open
-
-
- changed status to resolved
- Log in to comment
Possible text to add to 12.2, based on how people seem to have interpreted
noncefor refresh tokens:nonceClaim Value MAY be absent, even when the ID Token issued when the original authentication occurred containednonce. If it is present, it MUST be the same as in the ID Token issued when the original authentication occurred.