[Openid-specs-ab] response_type and nonce
sakimura at gmail.com
Mon Sep 3 23:19:14 UTC 2012
Seems like another ticket item.
On Tue, Sep 4, 2012 at 4:27 AM, Roland Hedberg
<roland.hedberg at adm.umu.se> wrote:
> John Bradley skrev 2012-09-03 18:13:
>> id_token on it's own is returned fragment encoded in the front
>> The identity of the requester is implicit through the registered
>> Nonce is required in that flow.
>> The nonce is only not required in the code flow where you are getting
>> the id_token directly from the token endpoint.
>> It may be better to say nonce is REQUIRED for all response_type
>> except the "code" response_type.
> Absolutely, as it is right now it's open for interpretation which it
> shouldn't be.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
Chairman, OpenID Foundation
More information about the Openid-specs-ab