nonce mandatory for SIOP
Issue #1265
resolved
SIOP v2 currently does not make the nonce a mandatory parameter. This bears the risk of id token injections.
OpenID Connect Core section 3.2.2.1 already defines nonce as required parameter for OIDC implicit in order to prevent such attacks. I suggest to change SIOP v2 accordingly.
Comments (3)
-
-
- changed status to open
-
- changed status to resolved
Resolved by merging PR #36 as agreed on 2021-07-22 call.
- Log in to comment
Agreed. Created PR #36.