[Openid-specs-ab] Hybrid Flow | nonce | requred or optional?
Michael.Jones at microsoft.com
Thu Jan 10 19:33:32 UTC 2019
I believe that the nonce edits in the current editor's draft at https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest and https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken finish addressing this issue in a way that reflects the working group consensus. Please review.
From: Christian Mainka <Christian.Mainka at rub.de>
Sent: Friday, December 21, 2018 2:33 AM
To: openid-specs-ab at lists.openid.net
Cc: vladislav.mladenov at rub.de; n-sakimura at nri.co.jp; ve7jtb at ve7jtb.com; Mike Jones <Michael.Jones at microsoft.com>; breno at google.com; cmortimore at salesforce.com
Subject: [Openid-specs-ab] Hybrid Flow | nonce | requred or optional?
we are unsure if nonce is OPTIONAL or REQUIRED in the Hybrid Flow.
· Hybrid Flow => ID Token (Section 188.8.131.52 1<https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken>) states nonce is REQUIRED.
· Hybrid Flow => Authentication Request (Section 184.108.40.206 2<https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest>) refers to Code => Authentication Request (Section 220.127.116.11 3<https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>), where nonce is OPTIONAL.
What does this mean for the case in which no nonce is used in the Authentication Request (OPTIONAL: nonce).
Does the IdP have to generate its own nonce and include it in the ID Token (REQUIRED: nonce)?
Or is this a bug in the specification?
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr-University Bochum, Germany
Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany
Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab