[Openid-specs-ab] Nonce value suggestion for the Implicit Flow

Richer, Justin P. jricher at mitre.org
Thu Oct 24 19:56:09 UTC 2013

I'm actually in favor of dropping this example, or else providing it in a list of alternatives. The important thing is that the client can validate the exact value of the nonce parameter on its way back through, the mechanics of how that happens are client specific (but we can provide simple guidance).

 -- Justin

On Oct 24, 2013, at 11:44 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>

For the Implicit Flow, the “nonce” description contains this text athttp://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest:
Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. One method to achieve this is to store a random value as a signed session cookie, and pass the value in thenonce parameter. In that case, the nonce in the returned ID Token can be compared to the signed session cookie to detect ID Token replay by third parties.

George wrote this about the suggestion in his review:
“I'm not sure this suggestion makes sense for the implicit flow. The client would need to write a cookie value on the domain of the redirect_uri and the attempt to read it on the return of the implicit flow. Wondering if a local storage example would make more sense.”

Do people agree with him?  If so, does someone want to supply specific alternative text to use?

                                                            -- Mike

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131024/a0ed27a8/attachment.html>

More information about the Openid-specs-ab mailing list