3.2.5.1.1.3 Processing Details

Generation of the Nonce field of the response is implementation specific, provided that the nonce meets the following requirements:

  • The server MUST be able to verify that any nonce value received from the client in a request for a primary refresh token (section 3.2.5.1.2) matches a nonce that was previously issued by the server.

  • The server SHOULD be able to verify that any nonce value received from the client in a request for a primary refresh token matches a nonce that was issued recently (see section 3.2.5.1.2.3).

  • The server SHOULD use a method that makes it difficult for an attacker to guess valid nonce values.