I've been tasked to implement the nonce mechanism into our current OAuth2 server. The OAuth 2.0 Security Best Practices document states:

The OP associates the nonce to the authorization code and attests this binding in the ID token, which is issued as part of the code exchange at the token endpoint.

So, I need to find a way to attach the value passed as the nonce query parameter during the initial authorization request to the code. Unfortunately, the request is not passed to the saveAuthorizationCode() method of the OAuth model, so I have no direct way of extracting the query parameter and store it alongside the code for later retrieval when the token request comes in.

Furthermore, there doesn't appear to be a straightforward way to get the code from inside the saveToken() method of the model to fetch the nonce associated with the code to include it in the issued id_token.

Does anyone have any ideas on how to implement this?

I managed to implement this by forking https://www.npmjs.com/package/express-oauth-server and integrating it there (fixing the long-standing lodash vulnerability along the way).