Open Web Interface for .NET (OWIN), Cannot Login, "IDX21323: RequireNonce is '[PII is hidden]'" or "RequireNonce is 'True'"

SDKsMulti-factor AuthenticationQuickstarts
Sep 10, 2025
Overview

When building an app with an Open Web Interface for .NET (OWIN), an error occurs with the message IDX21323: RequireNonce is '[PII is hidden]' or RequireNonce is 'True' after inputting the password and the MFA code. The error is reproduced only after waiting a couple of minutes before finishing the login flow. It typically happens when there is a delay in the SMS MFA code delivery.

 

Full error message:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

(NOTE: The "IDX21323: RequireNonce is '[PII is hidden]'" part can be "IDX21323: RequireNonce is 'True'" instead.)


 

Applies To
  • IDX21323 RequireNonce
Cause

This issue can occur when serving the app over HTTP (unencrypted) on the localhost environment.

In the following scenario, Chromium will drop Cross-Site cookies:

  • Visit website A (your application) and get some cookies.
  • Then, visit website B (Auth0 tenant).
  • When website B makes a POST request to website A, cookies issued for website A will not be attached.

A two-minute delay occurs because there is a "Grace Period" before the browser drops cookies, as described in the Chromium FAQ. Specifically, a cookie that is at most 2 minutes old will be sent on a top-level cross-site POST request.

 

Steps to Reproduce

  1. Use the Quickstart app
  2. Start the login flow. Input an email.
  3. Before entering the password, wait for 2 minutes.
  4. Enter the password and submit.
  5. The /callback endpoint returns 500 with the error message “IDX21323: RequireNonce is 'True'. OpenIdConnectProtocolValidationContext.Nonce was null…”

 

Waiting more than 2 minutes before submitting credentials causes the app to fail to validate the "nonce" parameter stored in a cookie. The browser drops the nonce cookie if waiting more than 2 minutes.

Successful (when finishing the login flow in under 2 minutes):
Screenshot 2023-10-15 at 12.33.16.png

Failed (when waiting more than 2 minutes):Screenshot 2023-10-15 at 12.40.56.png

Solution

Serve the app over HTTPS to add the "Secure" attribute to the cookie. The OWIN library will automatically add the "Secure" attribute to the nonce cookie when the app is served over HTTPS. This cannot be done on the localhost environment served over HTTP.

If it does not solve the issue, try the "SameSite=None" setting.

NOTE: This is only example code and is not production ready: 

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    // other options...
    CookieSameSite = SameSiteMode.None,
});


 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community