[Openid-specs-ab] Nonce requirement in hybrid auth request

[Mike Jones]

Thanks, Vladimir.  As part of the errata 2 process, the nonce requirement was added to 3.3.2.1 in http://openid.bitbucket.org/openid-connect-core-1_0.html#HybridAuthRequest.  Note that this is not a normative change, since 3.3.2.11 already required a nonce for the Hybrid flow.

				Thanks again,
				-- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov
Sent: Tuesday, July 07, 2015 2:01 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Nonce requirement in hybrid auth request

Hello guys,

I noticed that Core doesn't specify the conditions when nonce is required in hybrid authentication requests:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fopenid.net%2fspecs%2fopenid-connect-core-1_0.html%23HybridAuthRequest&data=01%7c01%7cMichael.Jones%40microsoft.com%7ca1044e58fc8b4ec7fd0408d2a8ce1462%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DNtU9ks%2bizJwM9y8mqhYepl1YqPNo2ufI2f7vnGlqeY%3d

Shouldn't there be a sentence that nonce is required when response_type is "code id_token" or "code id_token token" (and optional with "code token")?

The hybrid example seems correct.

Cheers,

Vladimir

--
Vladimir Dzhuvinov


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=01%7c01%7cMichael.Jones%40microsoft.com%7ca1044e58fc8b4ec7fd0408d2a8ce1462%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=EA0Dhx9uL%2bnRJW3E7X%2bJ7C0dJ83x%2fwNpSKJUmI8mQrY%3d