“IDX10311 RequireNonce is true” error occurs when an application is not able authenticate via Azure AD due to nonce cookie related issues.
The error message displayed is:
IDX10311: RequireNonce is ‘true’ (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’.
Possible root cause is that the nonce cookie is missing or altered during the authentication with AAD.
Please note that it is normal for application to throw this error if user
- Clicks browser’s Back button and authenticates again
- Tries to login after a long time of inactivity
- Uses the site in multiple tabs
In these cases, it is better to implement a code block to catch this exception and redirect the user accordingly.
Solution
In my case, the error occurred because the claim policy was not applied in Azure AD. Applying this policy solved the issue. If this doesn’t solve the issue in your case, please try the following:
- Check “Home page URL” and “Reply URL” on Azure portal. They should be the same
- Make sure that the site is in Intranet Zone in IE
- Check if the application has multiple redirections
- Delete cookies on the client side and restart Azure site
- For further troubleshooting, collect Fiddler trace to check nonce cookies