[Openid-specs-ab] response_type and nonce

John Bradley ve7jtb at ve7jtb.com
Mon Sep 3 16:13:29 UTC 2012

id_token on it's own is returned fragment encoded in the front channel.

The identity of the requester is implicit through the registered redirect.  

Nonce is required in that flow.

The nonce is only not required in the code flow where you are getting the id_token directly from the token endpoint.

It may be better to say nonce is REQUIRED for all response_type except the "code" response_type.

The term implicit flow in the OAuth spec is not well understood.  

In fact one could argue that any public client even one using the code response_type is implicitly identifying itself vis it's registered redirect.

John B.

On 2012-09-03, at 10:00 AM, Roland Hedberg <roland.hedberg at adm.umu.se> wrote:

> Hi!
> I'm almost certain I've asked this before but I've change mail client so
> I might have lost some mails.
> OpenID Connect supports the additional response_type "id_token".
> Just "id_token" !!
> If "id_token" is the response_type what type of flow is it ?
> Or to be more specific; about nonce it's said:
> "Use of the nonce is REQUIRED when using the implicit flow and OPTIONAL
> when using the code flow."
> So, if the response_type == "id_token" is nonce REQUIRED or OPTIONAL.
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120903/fac667df/attachment.p7s>

More information about the Openid-specs-ab mailing list