[Openid-specs-ab] response_type and nonce

Nat Sakimura sakimura at gmail.com
Mon Sep 3 23:19:14 UTC 2012


Seems like another ticket item.


On Tue, Sep 4, 2012 at 4:27 AM, Roland Hedberg
<roland.hedberg at adm.umu.se> wrote:
> John Bradley skrev 2012-09-03 18:13:
>> id_token on it's own is returned fragment encoded in the front
>> channel.
>> The identity of the requester is implicit through the registered
>> redirect.
>> Nonce is required in that flow.
>> The nonce is only not required in the code flow where you are getting
>> the id_token directly from the token endpoint.
>> It may be better to say nonce is REQUIRED for all response_type
>> except the "code" response_type.
> Absolutely, as it is right now it's open for interpretation which it
> shouldn't be.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list