openid / connect / issues / #304 - Basic, Messages, Standard - Nonce seems redundant with state

John Bradley

changed status to wontfix

State may encode information about what authorizaton endpoint is being used as well as providing some XSRF protection.

Without state being signed in the response it is still possible to replay a intercepted authentication response by cutting and replacing the state value.

nonce is signed in the id_token to prevent tampering.

It might be possible to use state for both to reduce the request size, however some clients may have a reason to use different values. For the implementers draft keeping them separate provides more flexibility to work with existing OAuth libraries.

2011-12-08T19:28:43+00:00

Comments (3)

Nat Sakimura
- assigned issue to
  
  John Bradley
- changed status to open
Add rationale.
- 2011-11-18T01:01:07+00:00
John Bradley
- marked as trivial
- 2011-12-03T02:54:05+00:00
John Bradley
- changed status to wontfix
State may encode information about what authorizaton endpoint is being used as well as providing some XSRF protection.

Without state being signed in the response it is still possible to replay a intercepted authentication response by cutting and replacing the state value.

nonce is signed in the id_token to prevent tampering.

It might be possible to use state for both to reduce the request size, however some clients may have a reason to use different values. For the implementers draft keeping them separate provides more flexibility to work with existing OAuth libraries.
- 2011-12-08T19:28:43+00:00
Log in to comment