[Openid-specs-ab] Potential ambiguity with how nonce is handled on refresh

William Denniss wdenniss at google.com
Fri Apr 20 21:37:46 UTC 2018

Currently the OpenID Specification in section 12.2 documents how the ID
Token processing differs when the ID Token is received during refresh.

'nonce' is not listed as one of the modified behaviors, thus the reader may
think it falls under the catch all "otherwise, the same rules apply as
apply when issuing an ID Token at the time of the original authentication."

However, most token endpoints only return the 'nonce' in the ID Token
issued in response to the authorization_code grant type (which makes sense).

The definition of nonce in Section 2 clearly associates it with the
Authorization Request but it may leave some ambiguity along the lines of
"do the nonce rules apply to the token response when if the authorization
request had a 'nonce', with is true for several other ID Token claims?)

Should we explicitly document in section 12.2 that 'nonce' is not expected
to be present in ID Tokens returned for the refresh_token grant type?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180420/b8a4fc54/attachment.html>

More information about the Openid-specs-ab mailing list