[Code Flow, Ory Hydra 2.3.0] "nonce" is omitted in ID Token when passed as request parameter (not inside signed JWT Request Object)

### Preflight checklist

- [x] I could not find a solution in the existing issues, docs, nor discussions.
- [x] I agree to follow this project's [Code of Conduct](https://github.com/ory/hydra/blob/master/CODE_OF_CONDUCT.md).
- [x] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/hydra/blob/master/CONTRIBUTING.md).
- [x] I have joined the [Ory Community Slack](https://slack.ory.com).
- [ ] I am signed up to the [Ory Security Patch Newsletter](https://www.ory.com/l/sign-up-newsletter).

### Ory Network Project

_No response_

### Describe the bug

Details: 
* ORY Hydra 2.3.0
* OIDC Authorization Code Flow
* Signed request JWT (RS256)
* Following the https://openid.net/specs/openid-connect-core-1_0.html specification
* Ory Hydra specification: https://www.ory.com/docs/polis/sso-flow#openid-connect-flow

Issue
When using a signed request parameter (Request Object) without **nonce** inside the JWT, but providing **nonce** as a regular query parameter:

`
&nonce=testNonce123
`

Hydra does not include nonce in the issued ID Token.
If nonce is included inside the signed JWT, the ID Token correctly contains it.

Sample Request (mocked):
```
https://auth.example.com/oauth2/auth
?request=<signed_jwt>
&response_type=code
&client_id=test-client
&scope=openid
&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback
&nonce=testNonce123
```

Expected Behavior
If nonce is provided as an authorization request parameter (even outside the Request Object), it should be included in the ID Token.



### Reproducing the bug

Construct a request using the following example:  

`https://auth.example.com/oauth2/auth?request=<signed_jwt>&response_type=code&client_id=test-client&scope=openid&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback&nonce=testNonce123` 

If the nonce is absent from the JWT request, it won't be returned in the ID Token.

### Relevant log output

```shell

```

### Relevant configuration

```yml

```

### Version

2.3.0

### On which operating system are you observing this issue?

Linux

### In which environment are you deploying?

Kubernetes with Helm

### Additional Context

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Code Flow, Ory Hydra 2.3.0] "nonce" is omitted in ID Token when passed as request parameter (not inside signed JWT Request Object) #4069

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Code Flow, Ory Hydra 2.3.0] "nonce" is omitted in ID Token when passed as request parameter (not inside signed JWT Request Object) #4069

Description

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions