fix!(oauth): use either token or id_token for nonce (#1532)

While I think this should only fix problems, and any working solution will be working around this problem, there's still some risk that setting nonce will break an implementation. Please carefully test this commit and make sure logging in still works for all strategies.

Author: bmulholland

src/schemes/oauth2.ts

@@ -259,7 +259,12 @@ export class Oauth2Scheme<
     // Set Nonce Value if response_type contains id_token to mitigate Replay Attacks
     // More Info: https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
     // More Info: https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-06#section-4.6.2
-    if (opts.response_type.includes('token')) {
+    // Keycloak uses nonce for token as well, so support that too
+    // https://github.com/nuxt-community/auth-module/pull/709
+    if (
+      opts.response_type.includes('token') ||
+      opts.response_type.includes('id_token')
+    ) {
       opts.nonce = _opts.nonce || randomString(10)
     }