[Openid-specs-ab] Issue #1265: nonce mandatory for SIOP (openid/connect)

tlodderstedt issues-reply at bitbucket.org
Mon Jul 12 08:19:32 UTC 2021

New issue 1265: nonce mandatory for SIOP

Torsten Lodderstedt:

SIOP v2 currently does not make the nonce a mandatory parameter. This bears the risk of id token injections. 

OpenID Connect Core section already defines nonce as required parameter for OIDC implicit in order to prevent such attacks. I suggest to change SIOP v2 accordingly.

More information about the Openid-specs-ab mailing list