nonce mandatory for SIOP

Issue #1265 resolved
Torsten Lodderstedt created an issue

SIOP v2 currently does not make the nonce a mandatory parameter. This bears the risk of id token injections.

OpenID Connect Core section already defines nonce as required parameter for OIDC implicit in order to prevent such attacks. I suggest to change SIOP v2 accordingly.

Comments (3)

  1. Log in to comment