This is called from RemoteApp.create_authorization_url which is called by RemoteApp.authorize_redirect which is called by my application (I'm not using the registry).
So if I pass my own nonce (which I'm storing in the session myself) it gets overwritten, so when I try to parse the id token later it fails of course. I fixed it in my app like this but it feels extremely ugly.
So it would be nice if:
no new nonce was generated if the caller already provided one
there was an api to access the session data without popping it and without using internal apis (_get_session_data); using retrieve_access_token_params just to get the nonce would be pretty inappropriate since it does much more
there was a proper OIDC client built-in in addition to the standard OAuth2 client ;)
The text was updated successfully, but these errors were encountered: