[keycloak-user] OIDC - ID Token's nonce validation
Iván Perdomo
ivan at akvo.org
Tue May 5 09:19:48 EDT 2015
Hi,
It seems that if a client sends the optional `nonce` parameter as part
of the authentication request, the server should return it as `nonce`
claim part of the ID Token
> The value is passed through unmodified from the Authentication
> Request to the ID Token. If present in the ID Token, Clients MUST
> verify that the nonce Claim Value is equal to the value of the nonce
> parameter sent in the Authentication Request. If present in the
> Authentication Request, Authorization Servers MUST include a nonce
> Claim in the ID Token with the Claim Value being the nonce value sent
> in the Authentication Request. Authorization Servers SHOULD perform
> no other processing on nonce values used. The nonce value is a case
> sensitive string.
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
As of Keycloak 1.2.0.Beta1 if a client sends a `nonce`, the ID Token
doesn't include the `nonce` claim.
Should I log this as an defect? Or is something already solved in 1.2.0RC1 ?
Thanks,
--
Iván
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/5da9bf32/attachment-0001.bin
More information about the keycloak-user
mailing list