[Openid-specs-ab] Issue #1266: Remove misleading self-issued language that seems to imply that nonce is optional (openid/connect)

mbj issues-reply at bitbucket.org
Tue Jul 13 22:58:57 UTC 2021


New issue 1266: Remove misleading self-issued language that seems to imply that nonce is optional
https://bitbucket.org/openid/connect/issues/1266/remove-misleading-self-issued-language

Michael Jones:

In bullet 8 of [https://openid.net/specs/openid-connect-core-1\_0.html#SelfIssuedValidation](https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedValidation), the language “If a nonce value was sent in the Authentication Request“ is misleading, and should be removed.  Nonce is already required for the Implicit flow at [https://openid.net/specs/openid-connect-core-1\_0.html#ImplicitAuthRequest](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest) - including for response\_type=id\_token.

This problem was first identified in issue #1265.

Responsible: Michael Jones



More information about the Openid-specs-ab mailing list