NSS 5.6.12 doesn't include a nonce claim in id tokens it issues

[cblakeley]

Testing OpenLink Virtuoso as an RP against https://solidcommunity.net, Virtuoso includes a nonce in its token request. The returned id token doesn't include a nonce claim. The id token validation by Virtuoso fails as a result.

Please see https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

3.1.3.7. ID Token Validation
Step 11. If a nonce value was sent in the Authentication Request, a nonce Claim must be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request...

The authorization request is:

https://solidcommunity.net/authorize?
redirect_uri=https%3A%2F%2Flocalhost%3A4443%2Fval%2Fapi%2Fthirdparty_callback
&client_id=...
&response_type=code
&scope=openid%20email%20profile
&nonce=beafc9ce...
...

I think this is consistent with https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

[ThisIsMissEm]

@cblakeley Hi! Would you be able to retest and provide an update as to whether this issue is still an issue for you? This sounds like it may be more an NSS bug instead of an SDK bug. The usage of nonce values is an important security feature.