Reference Implementation - Incorrect Nonce
Reference Implementation - Incorrect Nonce
The security spec says that the nonce is supposed to be passed through unmodified from the authentication request to the ID token. When I do an OIDC deep link launch, the nonce in the ID token is different from what my tool sent in the authentication request. Why is this?
I brought this up a year ago
I brought this up a year ago - they responded yesterday and indicated it has not yet been addressed.
We had to temporarily disable nonce validation in our tools when interfacing with the reference implementation to continue testing.
Good morning - this should be
Good morning - this should be updated in the deployed instance here shortly (https://lti-ri.imsglobal.org/release_notes), can one of you test this and confirm it's good to go? Thanks
Nonce OK, deployment_id gone?
Hi There,
The nonce does seem to be working, thanks!
That being said, it appears the
deployment_id
is no longer present in theid_token
. In the deep linking spec it shows it as a required field:This is the
id_token
that was sent:And I can validate that my application found it to be missing.
Additionally, when setting up the platform it asks for the
audience
, however, that field actually fills out theissuer
claim - seems confusing?Thanks!