Remove nonces, state is enough

pretix_oidc/auth.py

@@ -59,10 +59,8 @@ class OIDCAuthBackend(BaseAuthBackend):
 
     def authentication_url(self, request):
         oidc_state = rndstr()
-        oidc_nonce = rndstr()
         request.session["oidc_state"] = {
             oidc_state: {
-                "nonce": oidc_nonce,
                 "next": request.GET.get("next", None),
                 "generated_on": int(time.time()),
             }
@@ -73,7 +71,6 @@ class OIDCAuthBackend(BaseAuthBackend):
                 "client_id": self.client.client_id,
                 "response_type": "code",
                 "scope": self.scopes,
-                "nonce": oidc_nonce,
                 "redirect_uri": self.redirect_uri(request),
                 "state": oidc_state,
             }
@@ -104,9 +101,6 @@ class OIDCAuthBackend(BaseAuthBackend):
         if response_state not in oidc_state:
             return [None, None]
 
-        if auth_response["nonce"] != oidc_state[response_state]["nonce"]:
-            return [None, None]
-
         if oidc_state[response_state]["generated_on"] < time.time() + 5 * 60:
             return [None, None]