[Openid-specs-ab] Hybrid Flow | nonce | requred or optional?

Mike Jones Michael.Jones at microsoft.com
Thu Jan 10 19:33:32 UTC 2019

I believe that the nonce edits in the current editor's draft at https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest and https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken finish addressing this issue in a way that reflects the working group consensus. Please review.

                                                -- Mike

From: Christian Mainka <Christian.Mainka at rub.de>
Sent: Friday, December 21, 2018 2:33 AM
To: openid-specs-ab at lists.openid.net
Cc: vladislav.mladenov at rub.de; n-sakimura at nri.co.jp; ve7jtb at ve7jtb.com; Mike Jones <Michael.Jones at microsoft.com>; breno at google.com; cmortimore at salesforce.com
Subject: [Openid-specs-ab] Hybrid Flow | nonce | requred or optional?


we are unsure if nonce is OPTIONAL or REQUIRED in the Hybrid Flow.
·        Hybrid Flow => ID Token (Section 1<https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken>) states nonce is REQUIRED.
·        Hybrid Flow => Authentication Request (Section 2<https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest>) refers to Code => Authentication Request (Section 3<https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>), where nonce is OPTIONAL.

What does this mean for the case in which no nonce is used in the Authentication Request (OPTIONAL: nonce).
Does the IdP have to generate its own nonce and include it in the ID Token (REQUIRED: nonce)?

Or is this a bug in the specification?

Best Regards


Dr.-Ing. Christian Mainka

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Ruhr-University Bochum, Germany

Universitätsstr. 150, ID 2/463

D-44801 Bochum, Germany

Telefon: +49 (0) 234 / 32-26796

Fax: +49 (0) 234 / 32-14347


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190110/b4dae551/attachment.html>

More information about the Openid-specs-ab mailing list