OpenID Connect - Implicit Flow Nonce

Question

I'm very confused as to how the nonce parameter is actually used for OpenID Connect. I am trying to authenticate users via Microsoft Azure and Google, sign in with Azure and Google respectively.

Here is my current (implicit) flow.

1. When the user loads our sign in page in the browser, the two client libraries, google and azure msal are initialized with our client IDs.
2. There are two buttons on the sign in page each one opens a popup from the respective providers that redirect to the Google/Microsoft sign in pages.
3. The user enters their Google/Microsoft username and password and signs in. The popup window closes upon successful authentication and an ID token is returned to the browser JavaScript.
4. The browser JavaScript takes the ID token and sends it to our back-end and we validate the JWT in our back-end.
5. Upon successful validation we create a session for the user and we redirect the browser to the dashboard.

I'm confused as to where the nonce fits in with all of this, is not needed since I am using a JavaScript based flow instead of HTTP? Is it being handled implicitly by the browser client libraries?

How can I ensure that an attacker can't sniff the ID token between the Google/Microsoft server and browser AND browser and back-end and just re-send that ID token to authenticate as the user?

Answer 1

The nonce is quite similar to state and also serves to counter replay attack. The main difference is nonce is returned back in the id_token whereas state is returned back in the redirect URI. Usually the library should generate it for you and verify in the id_token.

Btw if you have access to the back-end, I would recommend using code flow instead (or at least the new PKCE flow) as the implicit flow would be deprecated soon.