SIOP request, parameters state and nonce
As of now the state
parameter (RECOMMENDED by OpenID Core Section 3.1.2.1) is missing in the request parameters.
I suggest either
- adding it to the request parameter list or
- making explicit that the parameter merely an extension of the parameters given for the OpenID Core Implicit Flow.
Similarly, nonce
(REQUIRED for the Implicit Flow) is not listed. The current hint “Since it is an Implicit Flow response, nonce
Claim MUST be present.“ seems confusing to me, since a nonce PARAMETER is required, and this might lead to confusion with the claims
parameter.
Comments (6)
-
-
reporter Thank you for clarifying this.
re
state
, I am not sure if the parameter is needed for SIOP since there are no codes / access tokens (and ID tokens are protected from replay with the nonce), and the CSRF protection for the redirection endpoint with thestate
might not be a concern in SIOP. So, unless I am mistaken, the current language is probably fine. -
Kristina to remove
state
from the examples in SIOPv2 -
In PR #86. please review
-
- changed status to open
discussed at 2021-12-09 SIOP call
-
- changed status to resolved
PR
#86merged - Log in to comment
re
nonce
, below is the latest text:re
state
, it is optional and up to the implementations, because for example in cross-device flow, there is no state to maintain between the request and the callback… I could add the language to clarify this.