That’s my read as well, but my experience with OIDC providers (especially machine identity providers) is that they don’t provide any mechanism for configuring the nonce (because they aren’t doing a traditional OAuth2 authentication request). Specifically, GitHub Actions, GCP, and GitLab don’t support this (to my knowledge).
