|
|
|
|
|
|
by apitman
991 days ago
|
|
|
> OpenPubKey states that it uses the OIDC `nonce` claim as its public key stuffing mechanism, but I'm not aware of many (any?) popular OIDC IdPs that allow the user to control the nonce in such a way Doesn't the nonce the client provides have to be passed through unmodified[0] for the authorization server to be compliant? > If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. [0]: https://openid.net/specs/openid-connect-core-1_0.html#IDToke... |
|
|