You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It took me an extra read to notice that the sentence
The OP puts the received nonce value into the ID Token that is issued as part of the code exchange at the token endpoint.
means that the ID token was received from the token endpoint, and doesn't apply to the ID token received from the redirect via response_type=code+id_token.
I think this section would benefit from being explicit that this nonce protection only applies to an ID token obtained from the token endpoint, otherwise it is easy to misinterpret this to mean that the client should check the nonce in the ID token it got in the redirect, which would of course do nothing. I do realize this is spelled out pretty clearly in the numbered list below, but I think it should be made clearer up front as well.
The text was updated successfully, but these errors were encountered:
Yes that's not what I meant. I meant the language that says the client must validate the nonce in the ID token, it's not clear that it has to use an option that gets an ID token from the token endpoint in the first paragraph.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.5.3.2
It took me an extra read to notice that the sentence
means that the ID token was received from the token endpoint, and doesn't apply to the ID token received from the redirect via
response_type=code+id_token
.I think this section would benefit from being explicit that this nonce protection only applies to an ID token obtained from the token endpoint, otherwise it is easy to misinterpret this to mean that the client should check the nonce in the ID token it got in the redirect, which would of course do nothing. I do realize this is spelled out pretty clearly in the numbered list below, but I think it should be made clearer up front as well.
The text was updated successfully, but these errors were encountered: