- changed status to open
Remove misleading self-issued language that seems to imply that nonce is optional
Issue #1266
resolved
In bullet 8 of https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedValidation, the language “If a nonce value was sent in the Authentication Request“ is misleading, and should be removed. Nonce is already required for the Implicit flow at https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest - including for response_type=id_token.
This problem was first identified in issue #1265.
Comments (3)
-
-
reporter -
reporter - changed status to resolved
Addressed by the now-merged PR
- Log in to comment
To be applied in the next errata.