[Openid-specs-ab] response_type and nonce

Roland Hedberg roland.hedberg at adm.umu.se
Mon Sep 3 19:27:23 UTC 2012

John Bradley skrev 2012-09-03 18:13:
> id_token on it's own is returned fragment encoded in the front
> channel.
> The identity of the requester is implicit through the registered
> redirect.
> Nonce is required in that flow.
> The nonce is only not required in the code flow where you are getting
> the id_token directly from the token endpoint.
> It may be better to say nonce is REQUIRED for all response_type
> except the "code" response_type.

Absolutely, as it is right now it's open for interpretation which it
shouldn't be.

More information about the Openid-specs-ab mailing list