We don't have support for it at this moment. Could you please create
JIRA for it?
Thanks,
Marek
On 5.5.2015 16:12, Iván Perdomo wrote:
Hi again,
On 05/05/2015 03:19 PM, Iván Perdomo wrote:
> If present in the ID Token, Clients MUST
>> verify that the nonce Claim Value is equal to the value of the nonce
>> parameter sent in the Authentication Request.
More info is also described in the ID Token validation section
> If a nonce value was sent in the Authentication Request, a nonce
> Claim MUST be present and its value checked to verify that it is the
> same value as the one that was sent in the Authentication Request.
> The Client SHOULD check the nonce value for replay attacks. The
> precise method for detecting replay attacks is Client specific.
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As i understand if, if a `nonce` parameter is present in the
authentication request, we should simply return it as "claim" in the ID
Token.
I'm browsing the source code and I see that IDToken [1] class is
prepared with the `nonce` property. But I'm kind of lost on where does
the authentication request gets parsed. I would like to contribute this
change, any guide where to look?
[1]
https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/or...
Cheers,
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user