Looks like there's a number of genuine CI failures:

RPError: nonce mismatch, expected L4O6qClQ-BhlXlTI8ahMBGHDtVgxUMkYTk1AxufX078, got: undefined

(ah, duh, that's probably because of mongodb-js/devtools-shared#489)

Those errors should be fixed once we update to the new mock oidc provider. The old one ignores the nonce completely, which now fails validation because we're expecting it in the token response.

@nirinchev Do you want to consider making this an opt-in feature, as mentioned on Slack?

Yeah, I'll try and investigate how that would look like.

@nirinchev Fwiw, I think we can really make this an option that's parallel to passIdTokenAsAccessToken; it's another boolean flag that's off by default and is exposed through the mongosh CLI options and in the Compass connection form.

In this case, I could see the case for passing the nonce by default, usually in that case I'd prefer a boolean option that still defaults to false, e.g. something that could be called skipNonceInAuthCodeRequest.

The alternative is to survey identity providers and confirm that all relevant ones support nonces – that the tests here pass means that at least Entra ID and Okta do, which is a great starting point.