Authorization code flow: is the nonce parameter necessary?

Hi! I am implementing the authorization code flow and I am curious about the nonce parameter. Is it necessary? I have implemented a check with the state parameter, but the documentation seems to be inconsistent about if the nonce parameter is also required.

Is it insecure to not do anything with nonce?

@alina-dc Hi, nonce is a value that is returned in the ID token. It is used to associate a client session with an ID token and to mitigate replay attacks. If you are using the implicit flow, the ‘nonce’ parameter is required in the initial ‘/authorize’ request, and the ID token includes a ‘nonce’ claim that should be validated to make sure it matches the ‘nonce’ value passed to ‘/authorize.’
For more details, you can check from here:
If ‘response_type’ is code, a ‘nonce’ value isn’t required. An example when you use the Authorization Code flow:

https://${yourOktaDomain}/oauth2/default/v1/authorize?client_id=0oabucvy
c38HLL1ef0h7&response_type=code&scope=openid&redirect_uri=http%3A%2F%2Flocal
host%3A8080&state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601’

Hi! Thanks so much for your fast and clear response. Thanks for confirming–since I’m using the authorization code flow, I won’t do anything with a ‘nonce’ value.

I’m looking over the documentation and I realize that given your response, the API documentation for the /authorize endpoint (https://developer.okta.com/docs/reference/api/oidc/#authorize) may be inaccurate. The request parameters chart says that the nonce parameter is required, but that doesn’t seem to be the case based on your response.

Just pointing it out in case it’s worth updating the documentation to say nonce is actually not required.

Thank you for pointing this out @alina-dc! We will update our API doc to reflect that nonce is NOT required for response_type = code according to OIDC Spec 3.1.2.1. Authentication Request.

1 Like