> On 11 Feb 2021, at 21:43, Andrii Deinega <andrii.dein...@gmail.com> wrote: > > > Thank you for the response! Unfortunately, I'm still not convinced that there > is no need for nonce. > > Based on the draft, I don't know how it's possible to achieve a “stronger > assurance that the authorizationserver issued the token introspection > response for an access token, includingcases where the authorization server > assumes liability for the content of thetoken introspection response” if we > can't guarantee that a client will always get the response to its initial > introspect request, or in other words, old communications can be never reused > (the iat claim isn't going to be sufficient for that).
The whole point about liability is being able to establish it after the fact. A nonce is only meaningful within the initial interaction and so is no help at all for establishing liability. > > Let's put aside those attackers for a moment and say we experience some > awfully wrong caching issues that can happen anywhere between an AS and a > client... where the client gets a cached response for its previous requests > which isn't expected. How can it be prevented? 1. TLS. 2. Cache-Control. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
