openid.nonce added

Imran Ghory imranghory at
Sat May 21 04:31:09 PDT 2005

On 5/21/05, Karl Koscher <mrsaturn at> wrote:

> Erm, is this really necessary? Can't a consumer just include something
> like that in their return URL, that in turn is part of the message
> hashed by the identity server? It seems like an extra implementation
> detail that doesn't really get you anything that you couldn't get
> otherwise, but perhaps I'm missing something?

I disagree, the existence on a nonce or not can seriously impact the
security of an authentication and an ID server (or indeed the user)
may want to have the system automatically refuse to authenticate to a
consumer that is insecure, and hence the ID server needs to know about
the nonce as well.


More information about the yadis mailing list