Oidc-client-js: Question about nonce behavior

Created on 11 Sep 2018  路  4Comments  路  Source: IdentityModel/oidc-client-js

I did not find any explanation for which i am looking for in the docs or previous issues, hence I would like to ask from here. The nonce value is supposed to be sent during the authentication request and obtain it via the identity token to ensure and prevent replay attacks. Where before implementing a nonce value, by default I could see a nonce being generated and passed in the identity token obtained via the authentication response. Is this a natural behavior and can i used it for replay verification ?

question
Source
picture arnaldo-infinite

All 4 comments

As of now the nonce is all handled internally

brockallen picture brockallen on 11 Sep 2018
👍1

Hey Brock, thank you so much for the quick response. I would like to confirm if the same applies to the behavior of the "state" parameter which is used to maintain state between the request and the callback?

arnaldo-infinite picture arnaldo-infinite on 11 Sep 2018

state is for you to use anyway you want

brockallen picture brockallen on 11 Sep 2018
👍1

Cool, I've got all my answers. Great work on this library mate. Thank you so much for your efforts. 馃

arnaldo-infinite picture arnaldo-infinite on 11 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wsimf picture wsimf  路  4Comments
ycrumeyrolle picture ycrumeyrolle  路  5Comments
slug56 picture slug56  路  4Comments
baoduy picture baoduy  路  4Comments
pottabathini picture pottabathini  路  5Comments