Problems with this:
* Code that didn't originate an oauth2 flow would always have to
  skip nonce checks.
* Code that checks nonces is likely to be dependent on the context
  of the Verify call, for example an HTTP request in a handler. The
  hook doesn't provide this context since its global to the verifier.
* The weirdness of this being conditional to if the nonce was present.

Overall I think it's simpler to let the user do the nonce verification.