pick up nonce correctly in authorize endpoint since it could be a POST request as well

[ashfame]

This PR fixes the issue of missing nonce in id_token when it's set by the oauth client while hitting the Authorize Endpoint when POST request is used, breaking OIDC compliance.

OIDC Spec specifies both GET and POST are supported for Authorize Endpoint.

Fixes #768 which highlights the same issue