Auth0 Home Blog Docs

Nonce mismatch in OpenID Connect Enterprise Connections

I created a new OpenID Connect provider in the “Connections > Enterprise > OpenID Connect” menu.

When I try to login using my OpenID Connect provider to an application, browser redirects back to a URL like “http://localhost:3000/callback?error=invalid_request&error_description=nonce%20mismatch&state=BVT3U3oRv…”.

This happens because,
when Auth0 redirects to the authorization endpoint of my OpenID Connect provider,
it does NOT add a nonce!
The request parameters are (from Chrome developer tools)

client_id={valid-client-id}&scope=openid&response_type=code&redirect_uri=https%3A%2F%2F{tenant}.eu.auth0.com%2Flogin%2Fcallback&response_mode=query&state=XFQ...

So my OpenID Connect provider does NOT receive the nonce, and therefor cannot put it inside the id_token, but the RP (for my OpenID Connect provider) that Auth0 is hosting is checking the nonce?!

1 Like

Hi @mash!

Thank you for reaching out to us and for your patience!

Are you sending a nonce in the authentication attempt? This document may be of some help: https://auth0.com/docs/api-auth/tutorials/implicit-grant#1-get-the-user-s-authorization

Also, I would suggest adding nonce to your authentication string.

Please let me know if this helps.

Investigating … will get back when problem persists …

There was a problem in the custom OpenID Provider. Now it seems Auth0 provides more detailed error description and that helped to resolve the problem. Thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.