openid / connect / issues / #1265 - nonce mandatory for SIOP — Bitbucket

Issue #1265 resolved

Torsten Lodderstedt created an issue 2021-07-12

SIOP v2 currently does not make the nonce a mandatory parameter. This bears the risk of id token injections.

OpenID Connect Core section 3.2.2.1 already defines nonce as required parameter for OIDC implicit in order to prevent such attacks. I suggest to change SIOP v2 accordingly.

Comments (3)

Kristina Yasuda
Agreed. Created PR #36.

‌
- 2021-07-13T16:05:10+00:00
Kristina Yasuda
- changed status to open
- 2021-07-13T22:33:27+00:00
Kristina Yasuda
- changed status to resolved
Resolved by merging PR #36 as agreed on 2021-07-22 call.
- 2021-07-22T20:13:48+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: SIOP

Milestone: –

Version: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!