Skip to content

Commit

Permalink
Merge pull request #23 from millenc/main
Browse files Browse the repository at this point in the history 
fix: add requirement on Nonce payload to contain an actual random value
  • Loading branch information
@peppelinux
peppelinux authored Apr 18, 2024
2 parents d9e1650 + 90a4693 commit 2a9cf90
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions draft-demarco-oauth-nonce-endpoint.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ author:

normative:
RFC2119: RFC2119
RFC4086: RFC4086
RFC5246: RFC5246
RFC6749: RFC6749
RFC7159: RFC7159
Expand Down Expand Up @@ -187,12 +188,13 @@ In cases where, for some reasons, a correctly issued Nonce can no longer be cons

# Non-normative Examples of a Nonce Payload

The decrypted Nonce payload may use different formats and encodings, according to the different implemententative requirements, and contains any kind of implementation-specific claims, such as the issuance time, the time of expiration, the audiences and other where needed.
The decrypted Nonce payload MAY use different formats and encodings, according to the different implementation requirements and contain any kind of implementation-specific claims, such as the issuance time, the time of expiration, the audiences and others where needed.

Below are provided some non-normative examples, describing how a decrypted and JSON serialized Nonce payload may appear:
Below are provided some non-normative examples, describing how a decrypted and JSON serialized Nonce payload MAY appear:

~~~~
{
"jti": "0452767d-549d-4765-bd43-a0bcc2a6659a",
"iss": "https://server.example.org",
"iat": 1615908701,
"exp": 1615995101,
Expand All @@ -204,7 +206,9 @@ Below are provided some non-normative examples, describing how a decrypted and J
}
~~~~

Please note that the values represented in the previous examples may depend on domain specific requirements and MUST NOT be intended as normative.
Please note that the values represented in the previous examples are informative.

In any case, the payload MUST include some unique value (`"jti"` on the example above), typically generated using a pseudo-random number generator with sufficient entropy [RFC4086], to ensure that the encrypted digest (the actual Nonce) is also unique.

# Security Considerations

Expand Down Expand Up @@ -252,4 +256,3 @@ This document has no IANA actions.
{:numbered="false"}

TODO acknowledge.

0 comments on commit 2a9cf90

Please sign in to comment.