VIA-757 AJ/DB Add mandatory nonce check

ankur-jain-nhs · ankur-jain-nhs · commit 9c48b269b3ae · 2026-01-16T14:47:55.000Z
- NHS login just made nonce parameter mandatory
- Next-Auth checks whether the nonce value in auth request matches the one returned in ID Token
diff --git a/src/app/api/auth/[...nextauth]/provider.test.ts b/src/app/api/auth/[...nextauth]/provider.test.ts
@@ -18,6 +18,6 @@ describe("provider", () => {
     expect(provider.type).toEqual("oidc");
     expect(provider.authorization.params.prompt).toBe("none");
     expect(provider.client?.token_endpoint_auth_method).toEqual("private_key_jwt");
-    expect(provider.checks).toEqual(["state"]);
+    expect(provider.checks).toEqual(["state", "nonce"]);
   });
 });
diff --git a/src/app/api/auth/[...nextauth]/provider.ts b/src/app/api/auth/[...nextauth]/provider.ts
@@ -27,7 +27,7 @@ const NHSLoginAuthProvider = async (): Promise<OIDCConfig<Profile>> => {
       userinfo_signed_response_alg: "RS512",
     },
     idToken: true,
-    checks: ["state"],
+    checks: ["state", "nonce"],
   };
 };
 
