feat: add nonce and state by default

index.js

@@ -1,8 +1,9 @@
 import "dotenv/config";
 import express from "express";
-import { generators, Issuer } from "openid-client";
+import { Issuer } from "openid-client";
 import cookieSession from "cookie-session";
 import morgan from "morgan";
+import * as crypto from "crypto";
 
 const port = parseInt(process.env.PORT, 10) || 3000;
 const origin = `${process.env.HOST}`;
@@ -56,12 +57,16 @@ app.get("/", async (req, res, next) => {
 app.post("/login", async (req, res, next) => {
   try {
     const client = await getMcpClient();
+    const nonce = crypto.randomBytes(16).toString("hex");
+    const state = crypto.randomBytes(16).toString("hex");
 
     const redirectUrl = client.authorizationUrl({
       scope,
       // claims: { id_token: { amr: { essential: true } } },
       login_hint,
       acr_values,
+      nonce,
+      state,
     });
 
     res.redirect(redirectUrl);