<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:"Segoe UI";
        panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
        {font-family:"
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#002060;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:84959465;
        mso-list-template-ids:893405888;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Symbol;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:"Courier New";
        mso-bidi-font-family:"Times New Roman";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Wingdings;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#172B4D">I believe that the nonce edits in the current editor's draft at
</span><a href="https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest"><span style="font-size:10.5pt;font-family:"&quot",serif;color:#0052CC">https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridAuthRequest</span></a><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#172B4D">
 and </span><a href="https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken"><span style="font-size:10.5pt;font-family:"&quot",serif;color:#0052CC">https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#HybridIDToken</span></a><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#172B4D">
 finish addressing this issue in a way that reflects the working group consensus. Please review.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#172B4D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#172B4D">                                                -- Mike</span><span style="color:#002060"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Christian Mainka <Christian.Mainka@rub.de>
<br>
<b>Sent:</b> Friday, December 21, 2018 2:33 AM<br>
<b>To:</b> openid-specs-ab@lists.openid.net<br>
<b>Cc:</b> vladislav.mladenov@rub.de; n-sakimura@nri.co.jp; ve7jtb@ve7jtb.com; Mike Jones <Michael.Jones@microsoft.com>; breno@google.com; cmortimore@salesforce.com<br>
<b>Subject:</b> [Openid-specs-ab] Hybrid Flow | nonce | requred or optional?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p>Hi,<o:p></o:p></p>
<p>we are unsure if <em><span style="font-family:"Calibri",sans-serif">nonce</span></em> is OPTIONAL or REQUIRED in the Hybrid Flow.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><em><span style="font-family:"Calibri",sans-serif">Hybrid Flow => ID Token</span></em> (Section 3.3.2.11
<a href="https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken">1</a>) states
<em><span style="font-family:"Calibri",sans-serif">nonce</span></em> is REQUIRED.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">       
</span></span></span><![endif]><em><span style="font-family:"Calibri",sans-serif">Hybrid Flow => Authentication Request</span></em> (Section 3.3.2.1
<a href="https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest">
2</a>) refers to <em><span style="font-family:"Calibri",sans-serif">Code => Authentication Request</span></em> (Section 3.1.2.1
<a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest">3</a>), where
<em><span style="font-family:"Calibri",sans-serif">nonce</span></em> is OPTIONAL.<o:p></o:p></p>
<p>What does this mean for the case in which no nonce is used in the Authentication Request (OPTIONAL: nonce).<br>
Does the IdP have to generate its own nonce and include it in the ID Token (REQUIRED: nonce)?<o:p></o:p></p>
<p>Or is this a bug in the specification?<o:p></o:p></p>
<p>Best Regards<br>
Vladislav/Christian<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:1.0pt">​<o:p></o:p></span></p>
</div>
</div>
<pre>-- <o:p></o:p></pre>
<pre>Dr.-Ing. Christian Mainka<o:p></o:p></pre>
<pre>Horst Görtz Institute for IT-Security <o:p></o:p></pre>
<pre>Chair for Network and Data Security <o:p></o:p></pre>
<pre>Ruhr-University Bochum, Germany<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Universitätsstr. 150, ID 2/463<o:p></o:p></pre>
<pre>D-44801 Bochum, Germany<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Telefon: +49 (0) 234 / 32-26796<o:p></o:p></pre>
<pre>Fax: +49 (0) 234 / 32-14347<o:p></o:p></pre>
<pre><a href="http://nds.rub.de/chair/people/cmainka/">http://nds.rub.de/chair/people/cmainka/</a><o:p></o:p></pre>
<pre>@CheariX<o:p></o:p></pre>
</div>
</body>
</html>