skip nonce verification by configuration?

[thewilli]

My OpenID Connect Provider for some reason ignores the nonce parameter, so the resulting id token won't contain it and the verification fails.

Of course I could simply disable the verification by commenting it out, but of course don't want to do this for production.

Is there any way to configure the module to just don't verify the nonce? At least it seems there should be a way because of the if nonce condition, so as far as I understand if no nonce was added to the session, it isn't checked.

[bodewig]

Then your OIDC Provider violates the spec and you should open a bug report

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request.

That being said it seems the cleaner approach would be to not generate a nonce if the OP is known to be broken. I.e. skip the creation in openidc_authorize rather than skip the verification.