cpliakas
commented
9 years ago @pwolanin I agree with you that this would be a good idea, but it would be helpful to explicitly state why this is a good idea even if the backend doesn't track it. Any references to articles or best practices supporting this request would be great.
From @pwolanin in #1:
Finally, there is no nonce value specified in the spec.
I would say every implementation must have a nonce even if the back-end doesn't currently track it.