Using nonce to Prevent Replay
Learn how the OpenID Connect nonce parameter binds an ID token to a specific authentication request and protects against token replay attacks.
What Is the nonce?
The nonce is a random value the client generates and includes in the authentication request. The OpenID Provider echoes it back inside the issued ID token. Matching them proves the token belongs to this request.
The Replay Threat
Without a nonce, an attacker who captures a valid ID token (for example, in the Implicit or Hybrid flow where tokens travel via the browser) could replay it into another session. The nonce ties the token to one specific request, defeating replay.
All lessons in this course
- Authorization Code Flow with OIDC
- Implicit Flow with OIDC
- Hybrid Flow with OIDC
- Using nonce to Prevent Replay