Nonce Cookie not being set in the new version of OIDC

0
Hello everyone, is someone having problems with the new version of the OIDC (4.2.0) with the nonce cookie not being set or being set but the server receives an empty nonce.2026-01-30 09:08:35.440 ERROR - REST Publish: An unexpected error occurred while handling REST requestcom.mendix.modules.microflowengine.MicroflowException: com.mendix.systemwideinterfaces.MendixRuntimeException: java.lang.NullPointerException: Cannot invoke "String.getBytes(java.nio.charset.Charset)" because "this.value" is nullat OIDC.SUB_GetNonceFromCookieAndHash (JavaAction : 'GenerateSHA256')at OIDC.handleAuthorizationCode (SubMicroflow : 'SUB_GetNonceFromCookieAndHash')at OIDC.webCallback (SubMicroflow : 'handleAuthorizationCode')at OIDC.webCallback_POST (SubMicroflow : 'webCallback')Meanwhile I confirmed that the ACT_StartWebSignIn nanoflow which calls the GetAuthorizationURLAndSetCookie microflow execute normally. The last microflow calls the javaaction SetNonceCookie which in turn is supposed to create and add the cookie in the header of the request. The issue seems to be related to the OIDC version 4.2.0, and I'd appreciate any feedback or potential solutions from others who may have encountered similar issues.
asked
4 answers
0

Hi Premtim,


I’ve looked into this quite a bit as well, and I’m seeing the same root cause. The issue is not related to microflows or nanoflows, but to how the OIDC 4.2.0 module sets the nonce cookie. With SameSite=Lax, the cookie is not reliably sent back during the cross-site redirect in modern browsers, which explains why the server receives a null/empty nonce and the GenerateSHA256 Java action fails.


Changing the cookie to SameSite=None (and ensuring HTTPS/Secure) resolves the issue, which confirms that this is a cookie handling problem in the module, not in the app logic. Given this, I’d strongly recommend opening a support ticket with Mendix, as this looks like something that should be fixed or made configurable in the OIDC module itself.


answered
0

hi,


Yes — this mostly happens because the nonce cookie isn’t reliably sent back to Mendix on the callback, which results in the server receiving an empty/null nonce and a NullPointerException in GenerateSHA256.

The OIDC module 4.2.0 sets the nonce cookie for the flow, but modern browsers and infrastructure require the cookie to have SameSite=None and Secure for cross-site redirects. If the cookie isn’t sent back on the callback (e.g., because of SameSite/Secure defaults, HTTP vs HTTPS, or proxy settings), the server ends up with an empty nonce.

What to check / fix:

Ensure the app is served over HTTPS so browsers accept SameSite=None cookies.

Confirm the nonce cookie is actually set and returned in the callback request (use browser dev tools).

Make sure your reverse proxy forwards the protocol (X-Forwarded-Proto) correctly so Mendix sets cookies with the right attributes.

This isn’t a microflow error — it’s a cookie handling issue in the OIDC callback flow with 4.2.0.

answered
0

I've just had the same issue.

I switched Callback resonse mode in the Client Configuration from "Form Post" to "Query" and the _state value got updated (used live debugger).

When retrying the login the state was successfully interpreted by the GetNonceFromCookie java action.

Let me know if this is the solution to your problem, too.

(Wanted to add screenshot, but it's not working, sorry)

answered
0

As this might have been pointed out already, this issue was because of the way the OIDC module 4.2.0 was sending the NONCE cookie. This issue has been resolved in the newest version of the OIDC module 4.3.0
https://marketplace.mendix.com/link/component/120371

- Support for applications running under a sub-path, including proper handling of Cookie and Nonce(Ticket #267982)

- Improved multi-tab browser behavior by supporting dynamic nonce cookie names during authentication flows(Ticket #270740)

To solve the problem consider upgrading the module.

answered