Authorization Code Flow - Disable or Read `nonce` with JavaScript SDK

Hi. I’m using Okta Auth JavaScript SDK with OpenID Connect Authorization Code Flow. According to another post, this flow does not require nonce attribute, but it appears that Okta JS is automatically adding nonce to the /oauth2/v1/authorize request. As I couldn’t find a way to disable auto-generated nonce I am trying to find a way to access the value of nonce on client, via JavaScript, so that I can pass that value for our backend validation flow. Is there a way to retrieve the value of nonce on client? Or alternatively, to disable nonce in first place?

Hi @acicchit! Thanks for pointing this out. It is optional and you should have the ability to disable it in the SDK but currently, there isn’t a way to do so. I have shared this with our SDK engineers who will make the fix/adjustment; I’ll keep you posted once this is done.

Hi @sigama thanks for the quick response: is there at least a way for the JS client to read the value of nonce that is auto-created by Okta SDK? This way, the client could pass that same value to our backend logic for validation with Okta. But if nonce is not exposed to client, then not sure how the extra validation can happen during the Authorization Code flow.

@acicchit looks like you can only access nonce after redirecting back. However, you can provide your own nonce i.e. override the default per GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API this way you have full control.

@sigama I’m using the signInWithRedirect method and tried passing the nonce attribute in the options object, but I have impression that is ignored when setting responseType: 'code' for the Authorization Code Flow.
I could try to access nonce after redirect back as you suggest, but I only see nonce in a Cookie named okta-oauth-nonce: is that a documented feature? I want to be sure I’m not relying on reverse-engineering :slight_smile:
In general, I would prefer to rely on the Okta-generated nonce value, if that is exposed via JS.

@acicchit correct that is the nonce cookie set by the SDK, that is the value you are looking for.