AuthorizationParameters.nonce is discarded.

[timvanoostrom]

Checklist

• [X] The issue can be reproduced in the express-openid-connect sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

I'm not entirely sure if it's a bug in the interface or in the application code or part of functionality that I don't understand yet but here goes:

The nonce option in LoginOptions.authorizationParams interface is not used in auth_verification cookie. See also: https://github.com/auth0/express-openid-connect/blob/master/lib/context.js#L245-L258 and https://github.com/auth0/express-openid-connect/blob/master/lib/context.js#L286

If not used in the cookie, where is it for?

Reproduction

1. Use own login route
2. Provide authorizationParams.nonce value
3. Inspect auth_verification cookie

res.oidc.login({
  authorizationParams: { nonce: 'test-nonce' },
});

Additional context

No response

express-openid-connect version

2.17.1

Express version

4.18.3

Node.js version

v21.7.3

[madaster97]

@timvanoostrom , the nonce parameter is part of the OIDC spec, and ties an id_token to a session in the application requesting it. All of that is handled by this library, and isn't something you need to set yourself. I think it's just exposed on the interface for completeness.

The code_challenge parameter is another example on the interface, and is part of the PKCE protocol. This library handles creating the right value and you don't need to provide it.