-
assigned issue to
- changed status to open
Basic, Messages, Standard - Nonce seems redundant with state
Issue #304
wontfix
How is nonce not redundant with state? Can’t we just get rid of nonce and make state mandatory?
Comments (3)
-
-
- marked as trivial
-
- changed status to wontfix
State may encode information about what authorizaton endpoint is being used as well as providing some XSRF protection.
Without state being signed in the response it is still possible to replay a intercepted authentication response by cutting and replacing the state value.
nonce is signed in the id_token to prevent tampering.
It might be possible to use state for both to reduce the request size, however some clients may have a reason to use different values. For the implementers draft keeping them separate provides more flexibility to work with existing OAuth libraries.
- Log in to comment
Add rationale.