On 9 Feb 2021, at 06:55, Andrii Deinega <andrii.dein...@gmail.com> wrote: > > > Hi WG, > > I wonder if there are any particular reasons to not make nonce a mandatory > parameter for the current JWT Response for OAuth Token Introspection draft. > Or, at least, force an AS to include the nonce claim in a JWT response when > nonce is presented in the introspection request similar to what happens with > the similar scenario in the OpenID Connect ID Token? > > https://openid.net/specs/openid-connect-core-1_0.html#:~:text=If%20present%20in%20the%20Authentication%20Request%2C,value%20sent%20in%20the%20Authentication%20Request. > > This will allow to mitigate replay attacks because clients can correlate the > response with the initial request
ID tokens involve flows using an insecure channel (the browser). This is not the case for introspection requests which happen over a direct TLS connection and so are already protected against replay attacks. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
