Menu
I have several questions.
Do I need to verify the nonce on the client side when using Authorization Code Flow? In the general OAuth Provider implementation, the process of obtaining an access token from an authorization code only works once. From this, it seems that Authorization Code Flow already supports replay attack without using nonce?
What are the benefits of using Authorization Code Flow in web applications? ID Token is a mechanism for authentication, not authorization, I understand that it is used to verify which OpenID Provider is authenticating which user for which Relaying Party.
But in Authorization Code Flow,
718
I'm not an authority on OpenID Connect but here are my two cents...
Authorization Code Flow and nonce
Do I need to verify the nonce on the client side when using Authorization Code Flow?
The spec says that if you send a nonce in the authorization request then you MUST verify it (see "nonce" in http://openid.net/specs/openid-connect-core-1_0.html#IDToken). However, sending the nonce is not required for the authorization code flow so you could leave it out altogether. In the authorization code flow case, I think you're right in that the replay attack is mitigated by the code--making the nonce unnecessary. However, since one could be using an implicit/hybrid flow where the nonce is required, the id_token validation logic might as well be the same in that "If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked"
Authorization Code Flow and ID Token
What are the benefits of using Authorization Code Flow in web applications?
I think the benefit of authorization code flow is that you keep the tokens out of the browser and can likely keep the tokens only on the server side.
Here's a helpful link about choosing the right flow for the right scenario
56
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
