[Openid-specs-ab] Another question regarding nonce

[John Bradley]

The nonce is sent in the authorization request.   It is returned in the id_token if sent in the authorization request.

The nonce is optional in basic.  It provides a way of binding the original request to the id_token returned and preventing replay attacks in the implicit flow.

The nonce is not sent with code to the token endpoint.

John B.
  


On 2012-11-29, at 9:27 PM, Sascha Preibisch <spreibisch at layer7tech.com> wrote:

> Hi!
>  
> I tried to find an answer for my question in older mailing list posts but I did not find it.
>  
> I would like to know if a basic client profile client should pass in the optional “nonce” parameter with the initial authorization request or when requesting an “access_token” in exchange for the “code”. I assume the spec refers to the initial request.
> As a client I do not really care when it has to be passed in. But as a server I would prefer to receive the “nonce” when the client exchanges the “code” for an “access_token”.
>  
> Thanks,
> Sascha
>  
> Sascha Preibisch
> Senior Software Developer, Tactical Team
> Layer 7 Technologies
> 405-1100 Melville St. Vancouver BC, V6E 4A6
> spreibisch at layer7tech.com
> (778) 328-5288
> http://www.layer7tech.com
> <image001.png>
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121129/70ce3f6d/attachment.html>