The OIDC standard requires the
nonce parameter in the authentication request when using the implicit flow:
nonce REQUIRED. String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
However in the hybrid flow the
nonce is not required. Yet the
id_token is directly returned in the response and also susceptible to injection or replay.
Why is the
nonce parameter not required in hybrid flow. What secures hybrid flow from injection or replay of