Google OAuth2: Custom Nonce Parameter Not Passed Back in Redirect

Question

I'm working on integrating Google OAuth2 into a WordPress plugin and trying to secure the authorization flow using a custom nonce parameter. Here’s what I’ve done:

1. Generated the nonce and added it to the authorization URL using add_query_arg:

nonce = wp_create_nonce('seo_insights_auth_nonce');
$authUrl = $client->createAuthUrl();
$authUrl = add_query_arg('nonce', $nonce, $authUrl);

2. Stored the nonce in the WordPress database for validation after the callback:

update_option('seo_insights_auth_nonce', $nonce);

3. Checked the nonce on the callback:

$stored_nonce = get_option('seo_insights_auth_nonce');
$received_nonce = isset($_GET['nonce']) ? sanitize_text_field($_GET['nonce']) : '';
if (!$stored_nonce || $received_nonce !== $stored_nonce) {
    error_log("Invalid or missing nonce. Stored: $stored_nonce, Received: $received_nonce");
    return;
}

However, after Google redirects back to my plugin, the nonce parameter is missing from the URL. Here’s the authorization URL being generated:

https://accounts.google.com/o/oauth2/v2/auth?...&nonce=abcdef123456

And here’s the URL received after Google redirects back:

https://my-site.com/wp-admin/admin.php?page=seo-insights-settings&code=...&scope=...

What I've Tried :

• Ensuring the nonce parameter is properly added to the authorization URL.
• Logging and validating the generated nonce on both sides.
• Switching to using the state parameter for validation, as suggested in the Google OAuth2 documentation.

My Questions :

• Is Google OAuth2 designed to ignore custom parameters like nonce?
• If state is the only reliable way to pass custom data, how do I handle both state and nonce securely in this flow? Any insights or recommendations for handling this issue securely within Google OAuth2 would be greatly appreciated!

Thanks in advance!