@alina-dc Hi, nonce is a value that is returned in the ID token. It is used to associate a client session with an ID token and to mitigate replay attacks. If you are using the implicit flow, the ‘nonce’ parameter is required in the initial ‘/authorize’ request, and the ID token includes a ‘nonce’ claim that should be validated to make sure it matches the ‘nonce’ value passed to ‘/authorize.’
For more details, you can check from here:
If ‘response_type’ is code, a ‘nonce’ value isn’t required. An example when you use the Authorization Code flow:
https://${yourOktaDomain}/oauth2/default/v1/authorize?client_id=0oabucvy
c38HLL1ef0h7&response_type=code&scope=openid&redirect_uri=http%3A%2F%2Flocal
host%3A8080&state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601’