"nonce" still exists in Basic

Issue #615 resolved
Nov Matake created an issue

Basic section 2.3 & 2.4 still mentions about "nonce". Is this OK? or they are forgotten to be removed when fixing #569 ?

Comments (3)

  1. Nov Matake reporter

    Yeah, but Basic spec uses "nonce" only in 2 sentences below.

    2.3. ID Token

    The ID Token is used to manage the authentication event and user identifier and is scoped to a particular Client via the aud (audience) and nonce Claims.

    2.4. ID Token Verification

    The iat Claim may be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces must be stored to prevent attacks. The acceptable range is Client specific.

    If "nonce" exists in Basic spec as informative, I might want its short definition in 2.2.1 too.

    Proposed text below. (just copied from Standard spec, removed text about token flow case)

    2.3.1. Client Prepares an Authorization Request

    nonce: A string value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authorization Request to the ID Token. Use of the nonce is OPTIONAL when using the code flow.
  2. Log in to comment