The nonce primarily protects the integrity of the ID Token against replay, while the state parameter protects the client's callback endpoint from CSRF attacks.
See the comparison in table below:
| Feature | Nonce | State |
|---|---|---|
| Purpose | Primarily to prevent replay attacks by associating an ID Token with a specific authentication request. | Primarily to prevent Cross-Site Request Forgery (CSRF) attacks by maintaining state between the authentication request and the callback. |
| Who Validates and When? | Validated by the Client to ensure the ID Token belongs to the current session. The Authorization Server includes it in the ID Token but does not typically validate it against a stored value. | Validated by the Client to ensure the callback response corresponds to a legitimate, client-initiated request. The Authorization Server passes it through unmodified. |
| Inclusion | Included in the authentication request and returned within the ID Token. | Included in the authentication request and returned in the authorization response i.e. the redirection response. |