[modeless]

I know they call it a nonce but how important is it to invalidate it instantly on first use? It's important for it to be unguessable, of course. But what security property does the invalidation serve? If an attacker can get the nonce they can just as easily get the access tokens after authentication, can't they?

[loa_in_]

The nonce is unique to the request-reply pair. Holding onto it beyond first use is useless, so it's discarded. If not that it would have to be time based otherwise (time-to-live) because server can't hold on to infinite of those. And if the time is too short it will cause problems, if it's too long it'll cause problems. It just always causes problems.

> If an attacker can get the nonce they can just as easily get the access tokens after authentication, can't they?

That's not the case. A js injection would usually lead to read access on the current page but not the next one.

[modeless]

It's my understanding that the OAuth "state" parameter nonce is generated and stored and validated on the client, not the server.

[loa_in_]

You're right. sorry. There goes me not refreshing my memory about the flow.