Update openid-connect.md

I was advised by jasuri (Sr. PM) that "Required" section for nonce should be "Recommended" instead of "Yes".

https://teams.microsoft.com/l/message/19:[email protected]/1730462081719?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=56c43627-9135-4509-bfe0-50ebd0e47960&parentMessageId=1730297232988&teamName=Cloud%20Identity%20-%20Account%20Management&channelName=B2C%20-%20Acct%20Mgmt&createdTime=1730462081719

Author: rui0122

articles/active-directory-b2c/openid-connect.md

@@ -59,7 +59,7 @@ client_id=00001111-aaaa-2222-bbbb-3333cccc4444
 | {tenant} | Yes | Name of your [Azure AD B2C tenant]( tenant-management-read-tenant-name.md#get-your-tenant-name). If you're using a [custom domain](custom-domain.md), replace `tenant.b2clogin.com` with your domain, such as `fabrikam.com`.  |
 | {policy} | Yes | The user flow or policy that the app runs. Specify the name of a user flow that you create in your Azure AD B2C tenant. For example: `b2c_1_sign_in`, `b2c_1_sign_up`, or `b2c_1_edit_profile`. |
 | client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
-| nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
+| nonce | Recommended | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
 | response_type | Yes | Must include an ID token for OpenID Connect. If your web application also needs tokens for calling a web API, you can use `code+id_token`.|
 | scope | Yes | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application need a *refresh token* for extended access to resources. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
 | prompt | No | The type of user interaction that you require. The only valid value at this time is `login`, which forces the user to enter their credentials on that request. |