You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If an Authorization Server encrypts a payload such as this to obtain a nonce it could end up generating non-unique values if multiple requests are served at the same time (second). The only claims in this JSON object that are subject to change are iat and exp, which are defined as NumericDate (A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.).
Since uniqueness is a hard requirement for nonces to fulfill their intended purpose, I think it would be best if this non-normative example includes some actual random value (such as the jti claim with a UUID for example).
The text was updated successfully, but these errors were encountered:
this issue is duplicate with #6, however I appreciate your analysis.
Sorry, my bad. I did a quick review on open issues but that one somehow slipped by. It's fine by me if we close this issue and continue the discussion on that one instead.
at the same time, if you want to propose a PR, I would be glad to review it and add you as formal contributor of this brand new specs
Maybe this is a nitpick but on section 8. Non-normative Examples of a Nonce Payload the following nonce payload is shown as example:
If an Authorization Server encrypts a payload such as this to obtain a nonce it could end up generating non-unique values if multiple requests are served at the same time (second). The only claims in this JSON object that are subject to change are
iat
andexp
, which are defined as NumericDate (A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.).Since uniqueness is a hard requirement for nonces to fulfill their intended purpose, I think it would be best if this non-normative example includes some actual random value (such as the
jti
claim with a UUID for example).The text was updated successfully, but these errors were encountered: