nonce attribute, but it appears that Okta JS is automatically adding
nonce to the
/oauth2/v1/authorize request. As I couldn’t find a way to disable auto-generated
nonce I am trying to find a way to access the value of
nonce on client? Or alternatively, to disable
nonce in first place?
Hi @acicchit! Thanks for pointing this out. It is optional and you should have the ability to disable it in the SDK but currently, there isn’t a way to do so. I have shared this with our SDK engineers who will make the fix/adjustment; I’ll keep you posted once this is done.
Hi @sigama thanks for the quick response: is there at least a way for the JS client to read the value of
nonce that is auto-created by Okta SDK? This way, the client could pass that same value to our backend logic for validation with Okta. But if
nonce is not exposed to client, then not sure how the extra validation can happen during the Authorization Code flow.
@acicchit looks like you can only access nonce after redirecting back. However, you can provide your own nonce i.e. override the default per GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API this way you have full control.
@sigama I’m using the
signInWithRedirect method and tried passing the
nonce attribute in the
options object, but I have impression that is ignored when setting
responseType: 'code' for the Authorization Code Flow.
I could try to access
nonce after redirect back as you suggest, but I only see
nonce in a Cookie named
okta-oauth-nonce: is that a documented feature? I want to be sure I’m not relying on reverse-engineering
In general, I would prefer to rely on the Okta-generated
nonce value, if that is exposed via JS.
@acicchit correct that is the nonce cookie set by the SDK, that is the value you are looking for.