This repository was archived by the owner on Nov 6, 2020. It is now read-only.

Description
Was wondering why this test expects a nonce, it seems a nonce is only expected when id_token is sent in the request to prevent replay attacks. For this test, only 'code token' is sent, and we expect a nonce which should be optional.
Is it a requirement to pass this test for hybrid (code token) certification, if so, can I get some guidance on this issue on whether it is an issue with the OP implementation or the OP conformance test tool.
Thanks.