<div dir="ltr"><div dir="ltr"><div dir="ltr">I do not think this is complete: please consider the comment about section 3.3.2.11. (the ID token validation section) here:<div><a href="https://bitbucket.org/openid/connect/issues/972/nonce-requirement-in-hybrid-auth-request#comment-49783247">https://bitbucket.org/openid/connect/issues/972/nonce-requirement-in-hybrid-auth-request#comment-49783247</a><br></div><div><br></div><div>Hans.</div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 10, 2019 at 8:33 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="white" lang="EN-US">
<div class="gmail-m_4536959476028659937WordSection1">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:rgb(23,43,77)">I believe that the nonce edits in the current editor's draft at
</span><a href="https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest" target="_blank"><span style="font-size:10.5pt;font-family:"\000026quot",serif;color:rgb(0,82,204)">https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest</span></a><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:rgb(23,43,77)">
and </span><a href="https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken" target="_blank"><span style="font-size:10.5pt;font-family:"\000026quot",serif;color:rgb(0,82,204)">https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken</span></a><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:rgb(23,43,77)">
finish addressing this issue in a way that reflects the working group consensus. Please review.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:rgb(23,43,77)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:rgb(23,43,77)"> -- Mike</span><span style="color:rgb(0,32,96)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Christian Mainka <<a href="mailto:Christian.Mainka@rub.de" target="_blank">Christian.Mainka@rub.de</a>>
<br>
<b>Sent:</b> Friday, December 21, 2018 2:33 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> <a href="mailto:vladislav.mladenov@rub.de" target="_blank">vladislav.mladenov@rub.de</a>; <a href="mailto:n-sakimura@nri.co.jp" target="_blank">n-sakimura@nri.co.jp</a>; <a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>; Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>; <a href="mailto:breno@google.com" target="_blank">breno@google.com</a>; <a href="mailto:cmortimore@salesforce.com" target="_blank">cmortimore@salesforce.com</a><br>
<b>Subject:</b> [Openid-specs-ab] Hybrid Flow | nonce | requred or optional?<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p>Hi,<u></u><u></u></p>
<p>we are unsure if <em><span style="font-family:Calibri,sans-serif">nonce</span></em> is OPTIONAL or REQUIRED in the Hybrid Flow.<u></u><u></u></p>
<p class="MsoNormal" style="margin-right:0in;margin-bottom:6pt;margin-left:0in">
<u></u><span style="font-size:10pt;font-family:Symbol"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><em><span style="font-family:Calibri,sans-serif">Hybrid Flow => ID Token</span></em> (Section 3.3.2.11
<a href="https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken" target="_blank">1</a>) states
<em><span style="font-family:Calibri,sans-serif">nonce</span></em> is REQUIRED.<u></u><u></u></p>
<p class="MsoNormal" style="margin-right:0in;margin-bottom:6pt;margin-left:0in">
<u></u><span style="font-size:10pt;font-family:Symbol"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><em><span style="font-family:Calibri,sans-serif">Hybrid Flow => Authentication Request</span></em> (Section 3.3.2.1
<a href="https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest" target="_blank">
2</a>) refers to <em><span style="font-family:Calibri,sans-serif">Code => Authentication Request</span></em> (Section 3.1.2.1
<a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">3</a>), where
<em><span style="font-family:Calibri,sans-serif">nonce</span></em> is OPTIONAL.<u></u><u></u></p>
<p>What does this mean for the case in which no nonce is used in the Authentication Request (OPTIONAL: nonce).<br>
Does the IdP have to generate its own nonce and include it in the ID Token (REQUIRED: nonce)?<u></u><u></u></p>
<p>Or is this a bug in the specification?<u></u><u></u></p>
<p>Best Regards<br>
Vladislav/Christian<u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:1pt"><u></u><u></u></span></p>
</div>
</div>
<pre>-- <u></u><u></u></pre>
<pre>Dr.-Ing. Christian Mainka<u></u><u></u></pre>
<pre>Horst Görtz Institute for IT-Security <u></u><u></u></pre>
<pre>Chair for Network and Data Security <u></u><u></u></pre>
<pre>Ruhr-University Bochum, Germany<u></u><u></u></pre>
<pre><u></u> <u></u></pre>
<pre>Universitätsstr. 150, ID 2/463<u></u><u></u></pre>
<pre>D-44801 Bochum, Germany<u></u><u></u></pre>
<pre><u></u> <u></u></pre>
<pre>Telefon: +49 (0) 234 / 32-26796<u></u><u></u></pre>
<pre>Fax: +49 (0) 234 / 32-14347<u></u><u></u></pre>
<pre><a href="http://nds.rub.de/chair/people/cmainka/" target="_blank">http://nds.rub.de/chair/people/cmainka/</a><u></u><u></u></pre>
<pre>@CheariX<u></u><u></u></pre>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div>