I am testing the LoginWithOpenIdConnect call in the Client API with Postman and I run into the following error when making multiple calls with the same IdToken:
{ "code": 403, "status": "Forbidden", "error": "NotAuthorized", "errorCode": 1089, "errorMessage": "Token nonce reuse is not permitted. Nonce values must be unique, and after use are invalid until the expiry of the OpenID Connect token or PlayFab token, whichever comes first." }
Here is my (obfuscated) request:
POST /Client/LoginWithOpenIdConnect?sdk=PostmanCollection-0.76.190219 HTTP/1.1 Host: XXXX.playfabapi.com X-PlayFabSDK: PostmanCollection-0.76.190219 Content-Type: application/json cache-control: no-cache Postman-Token: 94017929-b4d8-4272-9fc3-5e016b0acb36 { "TitleId": "XXXX", "ConnectionId": "XXX", "IdToken": "XXX", "CreateAccount": true }
The above call with a fresh token works, but if I make a subsequent call with the same token I receive the error. Given that nothing in the documentation indicates that I have control over the nonce, it would seem that it is being reused in your backend instead of being generated per request. Let me know if that is not the case.
The X-RequestId of one of my failed requests is 1-5c775aa2-5021517c78e637e826a6936c if that helps.