I’m implementing Authoziation Code flow via NodeJS Lambda AWS and I have a question about the Nonce.
Is it needed when using the Authorization Flow? If not, could please help me to find some official document where it’s specified? What is the risk do not use the Nonce for the Authorization Code flow?
I added a nonce parameter to the authorize request, but it isn’t returned in the JWT token, so I assume it isn’t needed, but I need some proof why it’s OK to ignore nonce.
In all examples, the nonce is used with the Implicit Flow ( example Mitigate Replay Attacks When Using the Implicit Flow), so I assume it isn’t needed for Authorization Code flow.
I wasn’t able to find a clear statement that nonce should not be used in the Authorization Code flow, but here is a related question on Okta forum
“nonce is NOT required for response_type = code according to OIDC Spec 184.108.40.206. Authentication Request 218”
Authorization code flow: is the nonce parameter necessary? - #2 by Lijia - Questions - Okta Developer Community