AuthorizationParameters.nonce is discarded.

[timvanoostrom]

Checklist

• [X] The issue can be reproduced in the express-openid-connect sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

I'm not entirely sure if it's a bug in the interface or in the application code or part of functionality that I don't understand yet but here goes:

The nonce option in LoginOptions.authorizationParams interface is not used in auth_verification cookie. See also: https://github.com/auth0/express-openid-connect/blob/master/lib/context.js#L245-L258 and https://github.com/auth0/express-openid-connect/blob/master/lib/context.js#L286

If not used in the cookie, where is it for?

Reproduction

1. Use own login route
2. Provide authorizationParams.nonce value
3. Inspect auth_verification cookie

res.oidc.login({
  authorizationParams: { nonce: 'test-nonce' },
});

Additional context

No response

express-openid-connect version

2.17.1

Express version

4.18.3

Node.js version

v21.7.3