0.13 throws away oidc nonce provided by the application

[ThiefMaster]

See this snippet here:

authlib/authlib/integrations/_client/base_app.py

Lines 189 to 193 in 3834a2a

	if scope and scope.startswith('openid'):
	# this is an OpenID Connect service
	nonce = generate_token(20)
	kwargs['nonce'] = nonce
	rv['nonce'] = nonce

This is called from RemoteApp.create_authorization_url which is called by RemoteApp.authorize_redirect which is called by my application (I'm not using the registry).

So if I pass my own nonce (which I'm storing in the session myself) it gets overwritten, so when I try to parse the id token later it fails of course. I fixed it in my app like this but it feels extremely ugly.

So it would be nice if:

• no new nonce was generated if the caller already provided one
• there was an api to access the session data without popping it and without using internal apis (_get_session_data); using retrieve_access_token_params just to get the nonce would be pretty inappropriate since it does much more
• there was a proper OIDC client built-in in addition to the standard OAuth2 client ;)

[lepture]

Fixed in v0.14