[Openid-specs-ab] backchannel logout: nonce and key

Mike Jones Michael.Jones at microsoft.com
Sun Mar 26 20:45:07 UTC 2017

Actually, I agree with you.  I’m fine with pulling the normative text about not using “nonce” and only explain why logout tokens and ID Tokens can’t be confused in the security considerations section.  The new thought is that even if a nonce were included for some reason, its value will be different, and so won’t match the nonce value of any authentication request – hence confusion with a valid ID Token isn’t possible.

Experience has shown that talking about nonce this way has led people down blind alleys and caused unproductive discussions.  We should explain why there’s not a problem in the Security Considerations section and leave it at that.

                                                       -- Mike

From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
Sent: Sunday, March 26, 2017 5:55 AM
To: Mike Jones <Michael.Jones at microsoft.com>
Cc: Nat Sakimura <sakimura at gmail.com>; Axel Nennker <Axel.Nennker at telekom.de>; John Bradley <ve7jtb at ve7jtb.com>; jricher at mit.edu; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] backchannel logout: nonce and key

Am 25.03.2017 um 21:50 schrieb Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>:

Frankly, I hope people will stop arguing from the premise that logout tokens and SETs will be confused with ID Tokens, because starting with a false premise isn’t a good way to further meaningful discussion.

Hi Mike,

following your argument: why is the nonce claim even mentioned in the spec? I thinks this makes people think about using (or not using) id tokens as logout tokens.

kind rgards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/dfaefa84/attachment.html>

More information about the Openid-specs-ab mailing list