oauth2.dev

cnonce

IETF

Registry Context

`cnonce` is a "client-nonce". A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS. claim.

Technical Summary

Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) Section 5.10 defines `cnonce` for JWT claim sets with the registry description: "client-nonce". A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS..

When Used

Used in JWTs that follow Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) Section 5.10.

Normative Requirements

Authorization servers

MUST
1
  1. 9200 - Section 5.10

    include the submitted `cnonce` parameter value in the `cnonce` claim..

    Condition: When the client submitted a cnonce parameter in the access token request.

    the AS MUST include the value of this parameter in the cnonce claim specified here

Validation Guidance

error

When processing `cnonce`, apply the syntax and semantics from Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) Section 5.10.

info

Treat `cnonce` as profile-specific unless the JWT explicitly follows the referenced specification.

Reference

Details

Entry Id
cnonce
Claim Name
cnonce
Claim Description
"client-nonce". A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS.
Change Controller
IETF
Reference
RFC9200 - Section 5.10