<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We could drop it from the Implicit Flow, as it’s already present in the Code Flow. Does that work for people?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Richer, Justin P. [mailto:jricher@mitre.org]
<br>
<b>Sent:</b> Thursday, October 24, 2013 12:56 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] Nonce value suggestion for the Implicit Flow<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I'm actually in favor of dropping this example, or else providing it in a list of alternatives. The important thing is that the client can validate the exact value of the nonce parameter on its way back through, the mechanics of how that
happens are client specific (but we can provide simple guidance). <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"> -- Justin<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Oct 24, 2013, at 11:44 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">For the Implicit Flow, the “nonce” description contains this text at<a href="http://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest"><span style="color:purple">http://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest</span></a>:<o:p></o:p></span></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">Sufficient entropy MUST be present in the<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366">nonce</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif"">values
used to prevent attackers from guessing values.<span class="apple-converted-space"> </span><span style="background:yellow">One method to achieve this is to store a random value as a signed session cookie, and pass the value in the</span></span><tt><span lang="EN" style="color:#003366;background:yellow">nonce</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif";background:yellow"> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif";background:yellow">parameter.
In that case, the<span class="apple-converted-space"> </span></span><tt><span lang="EN" style="color:#003366;background:yellow">nonce</span></tt><span class="apple-converted-space"><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif";background:yellow"> </span></span><span lang="EN" style="font-size:11.0pt;font-family:"Verdana","sans-serif";background:yellow">in
the returned ID Token can be compared to the signed session cookie to detect ID Token replay by third parties.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">George wrote this about the suggestion in his review:<o:p></o:p></span></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">“I'm not sure this suggestion makes sense for the implicit flow. The client would need to write a cookie value on the domain of the redirect_uri and the attempt to read it
on the return of the implicit flow. Wondering if a local storage example would make more sense.”<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Do people agree with him? If so, does someone want to supply specific alternative text to use?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> -- Mike<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>