[Openid-specs-ab] [openid/connect] nonce requirements in messages not present in basic (issue #834)

Pamela Dingle issues-reply at bitbucket.org
Mon May 6 08:29:51 UTC 2013

New issue 834: nonce requirements in messages not present in basic

Pamela Dingle:

In the messages spec section,  nonce is defined as OPTIONAL or REQUIRED, and it says that if the nonce is present in the idtoken, the client MUST check that the value of the nonce returned in the idtoken matches the value of the nonce sent in the authorization request.

In the basic profile however, nonce is not even listed as part of the idtoken in section 2.2,  and there is no mention of the requirement to validate the nonce should it be returned in section 2.2.1, IDToken Validation.

Recommend that the nonce value be added to section 2.2 of the basic profile and that the validation requirement to check nonce be added to section 2.2.1 of the basic profile.

More information about the Openid-specs-ab mailing list