As per the current behaviour, Liferay expects the OpenID provider to include a Nonce claim in the ID Token in a refresh token flow. There is actually an ambiguity in the OpenID Connect specification whether this claim should be included or not: https://bitbucket.org/openid/connect/issues/1025/ambiguity-with-how-nonce-is-handled-o
As it happens, OpenID Provider middlewares have interpreted this ambiguity differently and Liferay will fail to refresh ID Tokens against some of them.
To prevent this happening, we will make Nonce claim validation optional in OpenID Connect Provider configuration.
- As an Instance Administrator, I want to configure that the Nonce claim for the configured OpenId Connect provider is optional in order to prevent portal to fail at refreshing ID token when OpenId Connect is configured.