OP-nonce-NoReq-noncode does not run for 'code token'

[jogu]

This test:

https://www.heenan.me.uk/~joseph/oidcc_test_desc-phase1.html#OP_nonce_NoReq_noncode

https://github.com/rohe/oidctest/blob/master/test_tool/cp/test_op/flows/OP-nonce-NoReq-noncode.json

does not run for 'code token'. However my understanding from reading of the spec is that nonce is required for all hybrid flows and code token is a hybrid flow, and hence the test should be used for 'code token'.

[jogu]

Actually I believe I'm mistaken, as https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken :

When using the Hybrid Flow, these additional requirements for the following ID Token Claims apply to an ID Token returned from the Authorization Endpoint:

nonce Use of the nonce Claim is REQUIRED for this flow.

and as there's no Authorization Endpoint id_token in code token this requirement doesn't apply.

The leaves the question of why https://www.heenan.me.uk/~joseph/oidcc_test_desc-phase1.html#OP_nonce_NoReq_code / https://github.com/rohe/oidctest/blob/master/test_tool/cp/test_op/flows/OP-nonce-NoReq-code.json only runs for code and not code token. I think it should run for code token.

[panva]

See #14, we had it both ways, the way it is now is final, no id token from authorization endpoint = no nonce needed.

[jogu]

Ahha! Thanks. https://bitbucket.org/openid/connect/issues/972#comment-49835879 is definitive - nonce is optional for code token.

I think OP-nonce-NoReq-code.json should be running for code token, but it doesn't currently. Does that sound right?