spec mentions that 'nonce' is always included in token POST parameters

w3c-fedid / FedCM

A privacy preserving identity exchange Web API

https://w3c-fedid.github.io/FedCM/

Other

375 stars 72 forks source link

spec mentions that 'nonce' is always included in token POST parameters #364

Open pkotwicz opened 2 years ago

pkotwicz commented 2 years ago

Spec mentions that 'nonce' is always included in token POST parameters.

'nonce' is optional parameter to navigator.credentials.get() in Chromium implementation. If 'nonce' is not passed into navigator.credentials.get(), it is not included in token POST parameters

cbiesinger commented 2 months ago

this does seem to still be an issue, https://w3c-fedid.github.io/FedCM/#fetch-identity-assertion unconditionally includes nonce in the list but this needs to be conditional