[Openid-specs-ab] [openid/connect] Nonce implementation suggestion is worded too strongly (issue #562)
Justin Richer
issues-reply at bitbucket.org
Wed Mar 28 12:32:22 UTC 2012
--- you can reply above this line ---
New issue 562: Nonce implementation suggestion is worded too strongly
https://bitbucket.org/openid/connect/issue/562/nonce-implementation-suggestion-is-worded
Justin Richer / jricher on Wed, 28 Mar 2012 14:32:22 +0200:
Description:
In section 2.3.1 of Standard, the following text is in the description of the nonce parameter:
{{{
One method is to store a random value as a signed session cookie, and pass the value in the nonce parameter. The nonce in the returned ID Token is compared to the signed session cookie to detect ID Token replay by third parties.
}}}
While not normative as written, this is implementation advice and has no business inside of definition paragraphs. This placement has led some developers to treat this as the most highly recommended way to implement tracking the nonce at the client side. As there are many different ways to accomplish this (such as storing it in a bound session object, persisting it to a store that's dereferenced in the callback, etc.), I suggest that this text be taken out of the definition. It could then be either added to a separate, more non-normative paragraph describing several methods to track the nonce, if desired. Alternatively, it could be removed completely without negatively affecting the strength of the text.
--
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab
mailing list