Clarify nonce protection in 4.5.3.2

[aaronpk]

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.5.3.2

It took me an extra read to notice that the sentence

The OP puts the received nonce value into the ID Token that is issued as part of the code exchange at the token endpoint.

means that the ID token was received from the token endpoint, and doesn't apply to the ID token received from the redirect via response_type=code+id_token.

I think this section would benefit from being explicit that this nonce protection only applies to an ID token obtained from the token endpoint, otherwise it is easy to misinterpret this to mean that the client should check the nonce in the ID token it got in the redirect, which would of course do nothing. I do realize this is spelled out pretty clearly in the numbered list below, but I think it should be made clearer up front as well.

[selfissued]

That's not the case. The provided nonce must be included in all ID Tokens, no matter what response_type was used.

[aaronpk]

Yes that's not what I meant. I meant the language that says the client must validate the nonce in the ID token, it's not clear that it has to use an option that gets an ID token from the token endpoint in the first paragraph.

[danielfett]

Thanks for raising this, I created PR #99 to address this.