-
assigned issue to
- changed status to open
"nonce" still exists in Basic
Issue #615
resolved
Basic section 2.3 & 2.4 still mentions about "nonce".
Is this OK? or they are forgotten to be removed when fixing #569 ?
Comments (3)
-
-
reporter Yeah, but Basic spec uses "nonce" only in 2 sentences below.
2.3. ID Token
The ID Token is used to manage the authentication event and user identifier and is scoped to a particular Client via the aud (audience) and nonce Claims.
2.4. ID Token Verification
The iat Claim may be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces must be stored to prevent attacks. The acceptable range is Client specific.
If "nonce" exists in Basic spec as informative, I might want its short definition in 2.2.1 too.
Proposed text below. (just copied from Standard spec, removed text about token flow case)
2.3.1. Client Prepares an Authorization Request
nonce: A string value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authorization Request to the ID Token. Use of the nonce is OPTIONAL when using the code flow.
-
- changed status to resolved
Fixes
#615added informative definition of nonce in 2.2.1 - Log in to comment
It is informative. It may remain.