[Openid-specs-ab] Potential ambiguity with how nonce is handled on refresh

William Denniss wdenniss at google.com
Sat Apr 21 06:34:39 UTC 2018

Ok, I have:

I proposed some text as well.

On Fri, Apr 20, 2018 at 7:53 PM, n-sakimura <n-sakimura at nri.co.jp> wrote:

> Good catch. Please put it in the issue tracker.
> Outlook for iOS <https://aka.ms/o0ukef> を入手
> ------------------------------
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on
> behalf of William Denniss via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>
> *Sent:* Saturday, April 21, 2018 5:37:46 AM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] Potential ambiguity with how nonce is
> handled on refresh
> Currently the OpenID Specification in section 12.2 documents how the ID
> Token processing differs when the ID Token is received during refresh.
> 'nonce' is not listed as one of the modified behaviors, thus the reader
> may think it falls under the catch all "otherwise, the same rules apply as
> apply when issuing an ID Token at the time of the original authentication."
> However, most token endpoints only return the 'nonce' in the ID Token
> issued in response to the authorization_code grant type (which makes sense).
> The definition of nonce in Section 2 clearly associates it with the
> Authorization Request but it may leave some ambiguity along the lines of
> "do the nonce rules apply to the token response when if the authorization
> request had a 'nonce', with is true for several other ID Token claims?)
> Should we explicitly document in section 12.2 that 'nonce' is not expected
> to be present in ID Tokens returned for the refresh_token grant type?
> William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180420/81aa4f0c/attachment-0001.html>

More information about the Openid-specs-ab mailing list