Oracle Access Manager (OAM) OpenId Connect (OIDC) Authorization Code Grant Flow Generates Id Token Without Nonce Claim Received
(Doc ID 2720408.1)
Last updated on FEBRUARY 10, 2022
Applies to:Oracle Access Manager - Version 188.8.131.52.190609 and later
Information in this document applies to any platform.
Authorization code grant flow generates Id token without "Nonce" claim received
- Oracle Access Manager (OAM)
- OpenId Connect (OIDC)
Implementing the OIDC Authorization Code Grant Flow sends an Authorization request with the "nonce" attribute but the generated Id token does not contains the "nonce" claim.
Documentation - Chapter 36.1.1 OpenIDConnect ID Token at Table 36-1 Claims within the ID Token used by OpenIDConnect, the nonce parameter is one of the Request parameters, and as per the OIDC standard (https://openid.net/specs/openid-connect-core-1_0.html#IDToken), for the "nonce" Claim, (...)Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.(...)
Why the "nonce" claim in not returned in the Id Token?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document