[Openid-specs-ab] [openid/connect] Basic - Drop nonce from basic profile (issue #569)

tlodderstedt issues-reply at bitbucket.org
Fri Apr 6 20:52:55 UTC 2012

--- you can reply above this line ---

New issue 569: Basic - Drop nonce from basic profile 

tlodderstedt on Fri, 6 Apr 2012 22:52:55 +0200:

I would suggest to remove nonces from the basic profile and instead use TLS and a single-use restriction on authorization codes to prevent token replay. This is inline with the defintions given in the security consideration section of the OAuth core spec and further simplifies implementations.

In §10.12, it is stated that any client must prevent XSRF:

"The client MUST implement CSRF protection for its redirection URI."
"The client SHOULD utilize the "state" request parameter ..."

§10.5 requires:
"Authorization codes MUST be short lived and single use."

and also states TLS MUST be used to protect the redirect endpoints of clients, which use OAuth for login functions, which clearly holds for OpenId Connect RPs.

"Therefore, if the client relies on the authorization code for its own resource owner authentication, the client redirection endpoint MUST require TLS." 


This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list