Correct it’s optional.
In my example I use state for what you would use nonce for.
They are two fields that do the same thing/can be used to do the same thing.
Some implementations of OIDC have a “forced use of nonce in their library”
But basically nonce and state are the same thing.
You can see here
In the parameters table that claims, nonce and state are all optional.
So since this is a custom script I use state like my other oAuth loops.
But if I was using a library or OIDC provider, it might force the usage of nonce
It’s a URL Encoded form. aka application/x-www-form-urlencoded which will accept from either post body or URL Parameters (depending on the reciever)
It is also what the documentation says to do in step 3.