3.2.5.1.1.3 Processing Details
Generation of the Nonce field of the response is implementation specific, provided that the nonce meets the following requirements:
The server MUST be able to verify that any nonce value received from the client in a request for a primary refresh token (section 3.2.5.1.2) matches a nonce that was previously issued by the server.
The server SHOULD be able to verify that any nonce value received from the client in a request for a primary refresh token matches a nonce that was issued recently (see section 3.2.5.1.2.3).
The server SHOULD use a method that makes it difficult for an attacker to guess valid nonce values.