[Openid-specs-ab] Issue #1265: nonce mandatory for SIOP (openid/connect)

tlodderstedt issues-reply at bitbucket.org
Mon Jul 12 08:19:32 UTC 2021


New issue 1265: nonce mandatory for SIOP
https://bitbucket.org/openid/connect/issues/1265/nonce-mandatory-for-siop

Torsten Lodderstedt:

SIOP v2 currently does not make the nonce a mandatory parameter. This bears the risk of id token injections. 

OpenID Connect Core section 3.2.2.1 already defines nonce as required parameter for OIDC implicit in order to prevent such attacks. I suggest to change SIOP v2 accordingly.


More information about the Openid-specs-ab mailing list