-
Eric Chiang authored
Problems with this: * Code that didn't originate an oauth2 flow would always have to skip nonce checks. * Code that checks nonces is likely to be dependent on the context of the Verify call, for example an HTTP request in a handler. The hook doesn't provide this context since its global to the verifier. * The weirdness of this being conditional to if the nonce was present. Overall I think it's simpler to let the user do the nonce verification.
9e2f6d98