Open jogu opened 4 years ago
Actually I believe I'm mistaken, as https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken :
When using the Hybrid Flow, these additional requirements for the following ID Token Claims apply to an ID Token returned from the Authorization Endpoint:
nonce Use of the nonce Claim is REQUIRED for this flow.
and as there's no Authorization Endpoint id_token in code token this requirement doesn't apply.
The leaves the question of why https://www.heenan.me.uk/~joseph/oidcc_test_desc-phase1.html#OP_nonce_NoReq_code / https://github.com/rohe/oidctest/blob/master/test_tool/cp/test_op/flows/OP-nonce-NoReq-code.json only runs for code and not code token. I think it should run for code token.
See #14, we had it both ways, the way it is now is final, no id token from authorization endpoint = no nonce needed.
Ahha! Thanks. https://bitbucket.org/openid/connect/issues/972#comment-49835879 is definitive - nonce is optional for code token.
I think OP-nonce-NoReq-code.json should be running for code token, but it doesn't currently. Does that sound right?
This test:
https://www.heenan.me.uk/~joseph/oidcc_test_desc-phase1.html#OP_nonce_NoReq_noncode
https://github.com/rohe/oidctest/blob/master/test_tool/cp/test_op/flows/OP-nonce-NoReq-noncode.json
does not run for 'code token'. However my understanding from reading of the spec is that nonce is required for all hybrid flows and code token is a hybrid flow, and hence the test should be used for 'code token'.