Basic - Drop nonce from basic profile
I would suggest to remove nonces from the basic profile and instead use TLS and a single-use restriction on authorization codes to prevent token replay. This is inline with the defintions given in the security consideration section of the OAuth core spec and further simplifies implementations.
In §10.12, it is stated that any client must prevent XSRF:
"The client MUST implement CSRF protection for its redirection URI." "The client SHOULD utilize the "state" request parameter ..."
§10.5 requires: "Authorization codes MUST be short lived and single use."
and also states TLS MUST be used to protect the redirect endpoints of clients, which use OAuth for login functions, which clearly holds for OpenId Connect RPs.
"Therefore, if the client relies on the authorization code for its own resource owner authentication, the client redirection endpoint MUST require TLS."
Comments (3)
-
-
-
assigned issue to
- changed status to open
Drop it from Basic Optional for Messages and Standard. If IdP gets nonce, MUST return.
-
assigned issue to
-
- changed status to resolved
Fix
#569: Basic - Drop nonce from basic profile - Log in to comment
Single use code is not practical for geographically IdP implementations IdP implementations. With a short lived token giving the RP a way to detect replay is still a valuable option.