Hi again,
On 05/05/2015 03:19 PM, Iván Perdomo wrote:
If present in the ID Token, Clients MUST
> verify that the nonce Claim Value is equal to the value of the nonce
> parameter sent in the Authentication Request.
More info is also described in the ID Token validation section
If a nonce value was sent in the Authentication Request, a nonce
Claim MUST be present and its value checked to verify that it is the
same value as the one that was sent in the Authentication Request.
The Client SHOULD check the nonce value for replay attacks. The
precise method for detecting replay attacks is Client specific.
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As i understand if, if a `nonce` parameter is present in the
authentication request, we should simply return it as "claim" in the ID
Token.
I'm browsing the source code and I see that IDToken [1] class is
prepared with the `nonce` property. But I'm kind of lost on where does
the authentication request gets parsed. I would like to contribute this
change, any guide where to look?
[1]
https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/or...
Cheers,
--
Iván