Uniqueness of nonces of non-normative examples

[millenc]

Maybe this is a nitpick but on section 8. Non-normative Examples of a Nonce Payload the following nonce payload is shown as example:

{
  "iss": "https://server.example.org",
  "iat": 1615908701,
  "exp": 1615995101,
  "source_endpoint": "https://server.example.org/nonce-endpoint",
  "aud": [
    "https://service.example.com/endpoint",
    "https://another.example.com/cb"
  ]
}

If an Authorization Server encrypts a payload such as this to obtain a nonce it could end up generating non-unique values if multiple requests are served at the same time (second). The only claims in this JSON object that are subject to change are iat and exp, which are defined as NumericDate (A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.).

Since uniqueness is a hard requirement for nonces to fulfill their intended purpose, I think it would be best if this non-normative example includes some actual random value (such as the jti claim with a UUID for example).

[peppelinux]

I agree with you, therefore the jti claim should be included in the payload.

this issue is duplicate with #6, however I appreciate your analysis.

I'll add this change before the end of this weekend.

at the same time, if you want to propose a PR, I would be glad to review it and add you as formal contributor of this brand new specs

[millenc]

this issue is duplicate with #6, however I appreciate your analysis.

Sorry, my bad. I did a quick review on open issues but that one somehow slipped by. It's fine by me if we close this issue and continue the discussion on that one instead.

at the same time, if you want to propose a PR, I would be glad to review it and add you as formal contributor of this brand new specs

I've created a PR:

#23

Let me know what you think.