JWT nonce claim is required, even though the spec says it's optional and some OpenID Connect providers do not provide it

[consolibyte]

The implementation here assumes that nonce is always present in the claim: https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L922

return (($claims->iss == $this->getIssuer() || $claims->iss == $this->getWellKnownIssuer() || $claims->iss == $this->getWellKnownIssuer(true))
            && (($claims->aud == $this->clientID) || in_array($this->clientID, $claims->aud))
            && ($claims->nonce == $this->getNonce())
            && ( !isset($claims->exp) || $claims->exp >= time() - $this->leeway)
            && ( !isset($claims->nbf) || $claims->nbf <= time() + $this->leeway)
            && ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )
        );

However, some providers do not return a nonce here. For example, Intuit's implementation does not: https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/openid-connect

According to the spec, it seems optional (note the "if a nonce value was sent..."):

If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific. 

From: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

[nliwo]

I'm facing the same problem.

[JuliusPC]

These providers are simply not OIDC compliant, as already cited above:

If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request.

This library always sends the nonce, so it is required to expect it in the response.