[Openid-specs-ab] Issue #1052: make clear that nonce is always required for Hybrid flows (openid/connect)

Hans Zandbelt issues-reply at bitbucket.org
Tue Oct 2 23:47:06 UTC 2018


New issue 1052: make clear that nonce is always required for Hybrid flows
https://bitbucket.org/openid/connect/issues/1052/make-clear-that-nonce-is-always-required

Hans Zandbelt:

Assuming that that `nonce` is always required for Hybrid flows no matter where the `id_token` is returned from, also following: 
https://github.com/rohe/oidctest/issues/111#issuecomment-426450954

In section 3.3.2.11.  ID Token for the Core spec, https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken, it describes the ID token in the Hybrid flow, which says

> When using the Hybrid Flow, these additional requirements for the following ID Token
> Claims apply to an ID Token returned from the Authorization Endpoint:

Since an ID Token may also be returned from the Token Endpoint, that sentence seems to be too restrictive and the last part "returned from the Authorization Endpoint" should be removed.

FWIW: this may be a left-over from

> 3.3.2.12.  ID Token Validation

where ID token validation is discussed for an `id_token` returned from the Authorization Endpoint, as opposed to:

> 3.3.3.7.  ID Token Validation

where ID token validation is discussed for an `id_token` returned from the Token Endpoint.

OTOH: if section 3.3.2.11. is only about ID tokens returned from the Authorization Endpoint and it is supposed to be the counterpart of 

> 3.3.3.6.  ID Token

where validation of the contents of an ID Token returned from the Token Endpoint is discussed, then the following should be added to the latter:

> Use of the nonce Claim is REQUIRED for this flow.

otherwise it is not clear that `nonce` is always required in Hybrid flows no matter where the ID token is returned from.




More information about the Openid-specs-ab mailing list