[Openid-specs-ab] Hybrid Flow | nonce | requred or optional?

Hans Zandbelt hans.zandbelt at zmartzone.eu
Thu Jan 10 19:38:51 UTC 2019


I do not think this is complete: please consider the comment about section
3.3.2.11. (the ID token validation section) here:
https://bitbucket.org/openid/connect/issues/972/nonce-requirement-in-hybrid-auth-request#comment-49783247

Hans.

On Thu, Jan 10, 2019 at 8:33 PM Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> I believe that the nonce edits in the current editor's draft at
> https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest
> and
> https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken
> finish addressing this issue in a way that reflects the working group
> consensus. Please review.
>
>
>
>                                                 -- Mike
>
>
>
> *From:* Christian Mainka <Christian.Mainka at rub.de>
> *Sent:* Friday, December 21, 2018 2:33 AM
> *To:* openid-specs-ab at lists.openid.net
> *Cc:* vladislav.mladenov at rub.de; n-sakimura at nri.co.jp; ve7jtb at ve7jtb.com;
> Mike Jones <Michael.Jones at microsoft.com>; breno at google.com;
> cmortimore at salesforce.com
> *Subject:* [Openid-specs-ab] Hybrid Flow | nonce | requred or optional?
>
>
>
> Hi,
>
> we are unsure if *nonce* is OPTIONAL or REQUIRED in the Hybrid Flow.
>
> ·        *Hybrid Flow => ID Token* (Section 3.3.2.11 1
> <https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken>)
> states *nonce* is REQUIRED.
>
> ·        *Hybrid Flow => Authentication Request* (Section 3.3.2.1 2
> <https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest>)
> refers to *Code => Authentication Request* (Section 3.1.2.1 3
> <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>),
> where *nonce* is OPTIONAL.
>
> What does this mean for the case in which no nonce is used in the
> Authentication Request (OPTIONAL: nonce).
> Does the IdP have to generate its own nonce and include it in the ID Token
> (REQUIRED: nonce)?
>
> Or is this a bug in the specification?
>
> Best Regards
> Vladislav/Christian
>
>>
> --
>
> Dr.-Ing. Christian Mainka
>
> Horst Görtz Institute for IT-Security
>
> Chair for Network and Data Security
>
> Ruhr-University Bochum, Germany
>
>
>
> Universitätsstr. 150, ID 2/463
>
> D-44801 Bochum, Germany
>
>
>
> Telefon: +49 (0) 234 / 32-26796
>
> Fax: +49 (0) 234 / 32-14347
>
> http://nds.rub.de/chair/people/cmainka/
>
> @CheariX
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190110/22e72171/attachment-0001.html>


More information about the Openid-specs-ab mailing list