How nonce and state parameters are stored and transmitted in IdentityServer4?

Question

I have read Here about the difference between state and nonce parameters and from what I understood that state parameter is generated by the Authentication server(Identity server) and is used by the client for preventing CSRF attacks whereas nonce parameter is generated by the client and then the Authentication server will include it in the token and client will use it for checking token validity.

My first question is: Is the above flow correct in case of identityServer4 when using implicit grant type or not?

My second question: Where nonce parameter is stored on the user's agent (browser) and how does the client generate and transmit it?

My third question: How client cross-check the state parameter if it's valid or not?

Answer 1

No, both state and nonce are generated by client. Similarly, they are validated by client.

state prevents CSRF attacks. Authorization server will include the state so that authorization response can be validated for original request from client end. Similarly nonce is generated by client. Authorization server simply include it in tokens for validation.

is the above flow correct in case of identityServer4 when using implicit grant type or not?

identityServer4 must support including state and nonce in appropriate responses. I believe it does.

Where nonce parameter is stored on the user's agent (browser) and how does the client generate and transmit it?

This will depend on the client implementation. OIDC protocol provide a guide on nonce implementation

One method to achieve this for Web Server Clients is to store a cryptographically random value as an HttpOnly session cookie and use a cryptographic hash of the value as the nonce parameter

How client cross-check the state parameter if it's valid or not?

When client receives the authorization response, it must verify the precense of state parameter in response URL's query parameters (or fragments). Then it must compare the value with original value it generated.