For generic OAuth, is there a capability to send nonce value when redirecting?

For authorization, our OpenID provider requires a unique “nonce” to be sent when redirecting to the authorization endpoint (not just for implicit flow, but for authz token flow as well). Is there any configuration/ability to send nonce in this scenario?

Thank you.

nonce is not currently supported, but could be added and used alongside the state parameter. Does the provider support a generic OAuth 2.0 mode that doesn’t require it? My understanding is that nonce is an OpenID-specific addition to the OAuth 2.0 flow.

Thanks @dcech for the quick reply. Unfortunately, no, our in-house identity provider does not support a generic OAuth 2 mode. If contributed back, would this be something you would consider including in OSS Grafana?

I’d be very happy to help review a PR that added support for nonce :slightly_smiling_face: