[Openid-specs-ab] Nonce value suggestion for the Implicit Flow

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Thu Oct 24 20:11:15 UTC 2013


+1 I also find the example too client specific.

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com

 I'm actually in favor of dropping this example, or else providing it in
a list of alternatives. The important thing is that the client can
validate the exact value of the nonce parameter on its way back through,
the mechanics of how that happens are client specific (but we can
provide simple guidance). 
  -- Justin

  On Oct 24, 2013, at 11:44 AM, Mike Jones <Michael.Jones at microsoft.com>
 wrote:

     For the Implicit Flow, the “nonce” description contains this
text
athttp://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest:
Sufficient entropy MUST be present in the nonce values used to prevent
attackers from guessing values. One method to achieve this is to store a
random value as a signed session cookie, and pass the value in thenonce
parameter. In that case, the nonce in the returned ID Token can be
compared to the signed session cookie to detect ID Token replay by third
parties.
 
George wrote this about the suggestion in his review:
“I'm not sure this suggestion makes sense for the implicit flow. The
client would need to write a cookie value on the domain of the
redirect_uri and the attempt to read it on the return of the implicit
flow. Wondering if a local storage example would make more sense.”
 
Do people agree with him?  If so, does someone want to supply specific
alternative text to use?
 
                                                            -- Mike
 

_______________________________________________
 Openid-specs-ab mailing list
 Openid-specs-ab at lists.openid.net
 http://lists.openid.net/mailman/listinfo/openid-specs-ab
 
 

 

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list