OIDC Authorize vs Implicit nonce

OIDC Authorize Code Flow lists a nonce value to be passed in step 1) and the nonce value does not return with id_token, However in OIDC Implicit Code Flow step 1) also lists nonce value, and properly returns nonce value in the response. Checking OIDC conformant flow nonce is only mentioned in implicit flows https://auth0.com/docs/api-auth/intro. My question is was the documention victim to a copy paste job and nonce does not in fact work with authorize code flows or am I missing something else entirely.


Works as the document describes. Also conforms to official OIDC guidelines.


Does not return nonce value in id_token as described. However Official implementation guidelines don’t include a nonce option.

The description for nonce in authorization code flow and implicit match. Was this incorrectly copy-pasted?

The “nonce” value is still important in the code flow for OAuth and OIDC flows to prevent CSRF attacks on the “Authorize” screen. This is a bug in our implementation, we’ll address shortly. Thanks for reporting!

For more information on nonces, http://openid.net/specs/openid-connect-core-1_0.html#NonceNotes provides the context we have built our OIDC implementation to

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.