[Openid-specs-ab] Hybrid Flow | nonce | requred or optional?
Mike Jones
Michael.Jones at microsoft.com
Thu Jan 10 19:33:32 UTC 2019
I believe that the nonce edits in the current editor's draft at https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest and https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken finish addressing this issue in a way that reflects the working group consensus. Please review.
-- Mike
From: Christian Mainka <Christian.Mainka at rub.de>
Sent: Friday, December 21, 2018 2:33 AM
To: openid-specs-ab at lists.openid.net
Cc: vladislav.mladenov at rub.de; n-sakimura at nri.co.jp; ve7jtb at ve7jtb.com; Mike Jones <Michael.Jones at microsoft.com>; breno at google.com; cmortimore at salesforce.com
Subject: [Openid-specs-ab] Hybrid Flow | nonce | requred or optional?
Hi,
we are unsure if nonce is OPTIONAL or REQUIRED in the Hybrid Flow.
· Hybrid Flow => ID Token (Section 3.3.2.11 1<https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken>) states nonce is REQUIRED.
· Hybrid Flow => Authentication Request (Section 3.3.2.1 2<https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest>) refers to Code => Authentication Request (Section 3.1.2.1 3<https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>), where nonce is OPTIONAL.
What does this mean for the case in which no nonce is used in the Authentication Request (OPTIONAL: nonce).
Does the IdP have to generate its own nonce and include it in the ID Token (REQUIRED: nonce)?
Or is this a bug in the specification?
Best Regards
Vladislav/Christian
--
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr-University Bochum, Germany
Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany
Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
http://nds.rub.de/chair/people/cmainka/
@CheariX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190110/b4dae551/attachment.html>
More information about the Openid-specs-ab
mailing list