4D NetKit: Secure OpenID Authentication with nonce attribute
October 21, 2025
3 min read
When working with modern authentication flows, security is paramount. Developers often need to integrate authentication with trusted identity providers such as Google or Microsoft. This is where OpenID Connect (OIDC) comes into play.
OIDC is an identity layer built on top of OAuth 2.0. It allows your application to verify the identity of a user and to obtain basic profile information in a secure way. Starting with the latest enhancements to the cs.NetKit.OAuth2Provider class, 4D 21 now makes it easier to work with OpenID Connect by supporting the nonce parameter, along with new token attributes, including the id_token.
When you request standard OAuth 2.0 scopes, you’ll receive an access_token, which is meant to access APIs but does not tell you who the user is. To identify the user, you must include the openid scope. This activates the OpenID Connect layer and ensures that the identity provider also returns an id_token.
Additional scopes can enrich the information included in the id_token:
- openid → required, activates OpenID Connect and provides an id_token.
- profile → optional, returns profile information such as name, nickname, and picture.
- email → optional, includes the user’s email address.
The nonce parameter is specific to OpenID Connect requests. It associates a client session with the returned ID Token and helps protect against replay attacks.
- It’s optional, but strongly recommended for improved security.
- The value is passed unmodified from the authentication request to the ID Token.
What is the ID_Token?
The id_token is a property of the token object, returned when the openid scope is requested. It contains user identity information in JWT format. Since it’s encoded as text, you’ll need to deserialize the JWT in order to read its contents. To do this, you can use the JWT class contained in Netkit.
var $provider:={}
$provider.name:="Microsoft"
$provider.permission:="signedIn"
$provider.clientId:="xxxx"
$provider.redirectURI:="http://127.0.0.1:80/authorize/"
$provider.scope:="openid profile email" // request identity + profile info
$provider.nonce:="randomNonce456" // optional nonce value
var $oauth:=cs.NetKit.OAuth2Provider.new($provider)
var $token:=$oauth.getToken()
// Access the id_token
If ($token.token.id_token#Null)
// Deserialize the JWT result with cs.NetKit.JWT class
var $openID:=cs.NetKit.JWT.new().decode($token.token.id_token)
If ($openID.payload.nonce=$param.nonce)
ALERT("Hello "+$openID.payload.name)
End if
End if
//$openID={
// header: {
// typ: "JWT";
// alg: "RS256";
// kid: "HS23b7Do..."
// };
// payload: {
// aud: "b6822251-7..."; // the clientId (your application).
// iss: "https://login.microsoftonline.com/06dc191b-7348-4b66-b0d9-806cb7d9455b/v2.0";
// iat: 1758537433; // the time when the token was issued.
// nbf: 1758537433; // the earliest time when the token is considered valid.
// exp: 1758541333; // the token expiration time.
// email: "your.name@outlook.com";
// name: "Your Name";
// nonce: "randomNonce456"; // the value sent in the request to protect against replay attacks (if used).
// oid: "064fd139-65..."; // the unique identifier of the user’s account in the identity provider’s directory
// preferred_username: "your.name@outlook.com";
// rh: "1.AV8AGxncBkhz..."; // refresh token handle
// sid: "008cb789-7..."; // session ID
// sub: "6RcYjA-CqS..."; // the unique identifier of the user
// tid: "06dc191b-73..."; // identifies the tenant (organization)
// uti: "sS7qSOW0..."; // unique token identifier
// ver: "2.0"
// };
// signature": "gy4AwVunCf_NbeUP..."
//}conclusion
With the introduction of nonce and id_token support, 4D simplifies the integration of OpenID Connect. By requesting the right scopes and decoding the id_token, your applications can securely authenticate users while accessing reliable identity information.
Comments are not currently available for this post.