We don't have support for it at this
moment. Could you please create JIRA for it?
Thanks,
Marek
On 5.5.2015 16:12, Iván Perdomo wrote:
Hi again,
On 05/05/2015 03:19 PM, Iván Perdomo wrote:
If present in the ID Token, Clients MUST
verify that the nonce Claim Value is equal to the value of the nonce
parameter sent in the Authentication Request.
More info is also described in the ID Token validation section
If a nonce value was sent in the Authentication Request, a nonce
Claim MUST be present and its value checked to verify that it is the
same value as the one that was sent in the Authentication Request.
The Client SHOULD check the nonce value for replay attacks. The
precise method for detecting replay attacks is Client specific.
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As i understand if, if a `nonce` parameter is present in the
authentication request, we should simply return it as "claim" in the ID
Token.
I'm browsing the source code and I see that IDToken [1] class is
prepared with the `nonce` property. But I'm kind of lost on where does
the authentication request gets parsed. I would like to contribute this
change, any guide where to look?
[1]
https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/org/keycloak/representations/IDToken.java#L40-L41
Cheers,
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user