[Openid-specs-ab] Issue #1265: nonce mandatory for SIOP (openid/connect)
issues-reply at bitbucket.org
Mon Jul 12 08:19:32 UTC 2021
New issue 1265: nonce mandatory for SIOP
SIOP v2 currently does not make the nonce a mandatory parameter. This bears the risk of id token injections.
OpenID Connect Core section 184.108.40.206 already defines nonce as required parameter for OIDC implicit in order to prevent such attacks. I suggest to change SIOP v2 accordingly.
More information about the Openid-specs-ab