[Openid-specs-ab] response_type and nonce
roland.hedberg at adm.umu.se
Mon Sep 3 19:27:23 UTC 2012
John Bradley skrev 2012-09-03 18:13:
> id_token on it's own is returned fragment encoded in the front
> The identity of the requester is implicit through the registered
> Nonce is required in that flow.
> The nonce is only not required in the code flow where you are getting
> the id_token directly from the token endpoint.
> It may be better to say nonce is REQUIRED for all response_type
> except the "code" response_type.
Absolutely, as it is right now it's open for interpretation which it
More information about the Openid-specs-ab