OIDC has a nonce mechanism that gets included in the JWT to prevent replay attacks.
Comparing it after decoding isn't particularly difficult, but neither would be checking the issuer or audience.
It still might be useful to integrate it as part of the decode-and-validate step. This could maybe done be similarly to the set_required_spec_claims method, with a set_expected_claim_values.
The downside is that it forces a new Validation object to be allocated on every request because the nonce changes every time.
OIDC
has anonce
mechanism that gets included in the JWT to prevent replay attacks. Comparing it after decoding isn't particularly difficult, but neither would be checking the issuer or audience.It still might be useful to integrate it as part of the decode-and-validate step. This could maybe done be similarly to the
set_required_spec_claims
method, with aset_expected_claim_values
.The downside is that it forces a new
Validation
object to be allocated on every request because the nonce changes every time.