[Openid-specs-ab] Issue #1266: Remove misleading self-issued language that seems to imply that nonce is optional (openid/connect)
mbj
issues-reply at bitbucket.org
Tue Jul 13 22:58:57 UTC 2021
New issue 1266: Remove misleading self-issued language that seems to imply that nonce is optional
https://bitbucket.org/openid/connect/issues/1266/remove-misleading-self-issued-language
Michael Jones:
In bullet 8 of [https://openid.net/specs/openid-connect-core-1\_0.html#SelfIssuedValidation](https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedValidation), the language “If a nonce value was sent in the Authentication Request“ is misleading, and should be removed. Nonce is already required for the Implicit flow at [https://openid.net/specs/openid-connect-core-1\_0.html#ImplicitAuthRequest](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest) - including for response\_type=id\_token.
This problem was first identified in issue #1265.
Responsible: Michael Jones
More information about the Openid-specs-ab
mailing list