Openid express node.js BadRequestError: nonce mismatch, expected

Please include the following information in your post:

Today after deplying latest version with no auth related changes, suddenly getting this when people try to login:
BadRequestError: nonce mismatch, expected ZrZx_BdO84nAjGCT3ZBk__RTRniNx9Qrb4gkySbw5f0, got: yPlbeGTGTi0Q_eY16TW2HL6HL0JBiXq1XYFFwPWdWuU
at /home/runvnc/auction-backend/node_modules/express-openid-connect/middleware/auth.js:120:31
at runMicrotasks ()
at processTicksAndRejections (node:internal/process/task_queues:96:5)

  • Which SDK this is regarding: e.g. express-openid-connect
  • SDK Version: e.g. 2.4.0
  • Platform Version: e.g. Node 16.3

Hey there!

It sounds like a perfect candidate for a GitHub issue and that should be the easiest and most effective way to handle that. Please open a GitHub issue here in the repo so we can work on that directly with the repo maintainers. Thank you!

Once you have the link to the repo share it here with us so we can ping them.

Hi , I have a similar issue, where my Identity provider only supports Authorization Code flow and by default express-openid-connect is using Authorization code flow + PKCE. Hence I am also getting error related to nonce:
BadRequestError: nonce mismatch, expected 1qc1TV6mYBObxn3Ab5CVxLbk7-I-RJP6SkiL6a_BD9U, got: undefined
at callbackStack (\node_modules\express-openid-connect\middleware\auth.js:120:31)
at process._tickCallback (internal/process/next_tick.js:68:7)
I want to get rid of this default behaviour and use only Authorization code flow. Any pointers for how to achieve this ?

Well, people couldn’t log in… and the support said they would not try to help until I had created their special log file. So our site was mostly down until I finished redoing the authentication to just use our server, with a module I built a few years ago. And working on a lot of other features so don’t really have time for this anymore sorry.

I’ve noticed that in the Brave browser it does into an infinite login_required loop instead of the aforementioned error.