Is Nonce requried for the Authoziation Code flow

Hello community,

I’m implementing Authoziation Code flow via NodeJS Lambda AWS and I have a question about the Nonce.
Is it needed when using the Authorization Flow? If not, could please help me to find some official document where it’s specified? What is the risk do not use the Nonce for the Authorization Code flow?

I added a nonce parameter to the authorize request, but it isn’t returned in the JWT token, so I assume it isn’t needed, but I need some proof why it’s OK to ignore nonce.

In all examples, the nonce is used with the Implicit Flow ( example Mitigate Replay Attacks When Using the Implicit Flow), so I assume it isn’t needed for Authorization Code flow.

I wasn’t able to find a clear statement that nonce should not be used in the Authorization Code flow, but here is a related question on Okta forum
“nonce is NOT required for response_type = code according to OIDC Spec Authentication Request 218
Authorization code flow: is the nonce parameter necessary? - #2 by Lijia - Questions - Okta Developer Community


According to the OpenID Spec, the nonce param is not required for the Auth Code Flow.

They are there to prevent replay attacks, but in the case of Auth0, auth codes are single use and should prevent a replay attack as a result.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.