Depending on the flow used, the nonce parameter might be required, and some identity providers always require it.
As it is relatively cheap to implement, I suggest to always send a nonce to the identity servers for the authentication request, whatever flow is used.
Depending on the flow used, the nonce parameter might be required, and some identity providers always require it.
As it is relatively cheap to implement, I suggest to always send a nonce to the identity servers for the authentication request, whatever flow is used.
What do you think?