4.x - Incorrect token used for nonce validation

[Verdent]

Environment Details

• Helidon Version: 4.0.5
• Helidon SE or Helidon MP: both
• JDK version:
• OS:
• Docker version (if applicable):

---

OidcFeature checks incorrect token for nonce presence.

Failed to read JSON from response
java.lang.IllegalStateException: Nonce is required to be present in the access token
	at io.helidon.security.providers.oidc.OidcFeature.lambda$processJsonResponse$11(OidcFeature.java:492)
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.helidon.security.providers.oidc.OidcFeature.processJsonResponse(OidcFeature.java:492)
	at io.helidon.security.providers.oidc.OidcFeature.processCodeWithTenant(OidcFeature.java:425)
	at io.helidon.security.providers.oidc.OidcFeature.processCode(OidcFeature.java:382)
	at io.helidon.security.providers.oidc.OidcFeature.lambda$processOidcRedirect$9(OidcFeature.java:374)
	at java.base/java.util.Optional.ifPresentOrElse(Optional.java:196)
	at io.helidon.common.mapper.OptionalValue.ifPresentOrElse(OptionalValue.java:173)
	at io.helidon.security.providers.oidc.OidcFeature.processOidcRedirect(OidcFeature.java:374)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.doRoute(HttpRouting.java:668)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:627)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:605)
	at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:121)
	at io.helidon.webserver.observe.metrics.MetricsFeature.lambda$configureVendorMetrics$2(MetricsFeature.java:90)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.webserver.security.SecurityContextFilter.filter(SecurityContextFilter.java:88)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.common.context.Contexts.runInContext(Contexts.java:117)
	at io.helidon.webserver.context.ContextRoutingFeature.filter(ContextRoutingFeature.java:50)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.webserver.http.Filters.executeFilters(Filters.java:87)
	at io.helidon.webserver.http.Filters.lambda$filter$0(Filters.java:83)
	at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
	at io.helidon.webserver.http.Filters.filter(Filters.java:83)
	at io.helidon.webserver.http.HttpRouting.route(HttpRouting.java:109)
	at io.helidon.webserver.http1.Http1Connection.route(Http1Connection.java:357)
	at io.helidon.webserver.http1.Http1Connection.handle(Http1Connection.java:194)
	at io.helidon.webserver.ConnectionHandler.run(ConnectionHandler.java:165)
	at io.helidon.common.task.InterruptableTask.call(InterruptableTask.java:47)
	at io.helidon.webserver.ThreadPerTaskExecutor$ThreadBoundFuture.run(ThreadPerTaskExecutor.java:239)
	at java.base/java.lang.VirtualThread.run(VirtualThread.java:309)