Problem
During the Authorization Code flow (response_type=code), the application crashes with a 500 Internal Server Error during the final token exchange (POST /token). This occurs when the OIDC Client (Relying Party) does not include a nonce parameter in the initial Authorization Request.

Context
According to the OpenID Connect Core 1.0 specification, the nonce parameter is optional when using the Authorization Code flow. Some OIDC clients (such as Firebase Auth or Google) may not send this parameter.

However, the current implementation of issue_token_service.py assumes the nonce is always present in the auth_session.request_parameters.

Traceback

File "/app/api/core/oidc/issue_token_service.py", line 49, in get_claims
    Claim(type="nonce", value=auth_session.request_parameters["nonce"])
KeyError: 'nonce'

Expected Behavior
The get_claims method should check for the existence of the nonce in the session parameters. If it is missing, it should omit the nonce claim from the generated token, rather than crashing the application.

Suggested Solution
Update oidc-controller/api/core/oidc/issue_token_service.py to conditionally append the nonce claim.

# oidc-controller/api/core/oidc/issue_token_service.py

- oidc_claims.append(
-    Claim(type="nonce", value=auth_session.request_parameters["nonce"])
- )

+ if "nonce" in auth_session.request_parameters:
+    oidc_claims.append(
+        Claim(type="nonce", value=auth_session.request_parameters["nonce"])
+    )