docs: clarify browser nonce behavior

Copilot · bgavrilMS · web-flow · commit 026a1a296c7f · 2026-05-11T12:24:06.000Z
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-python/sessions/d56329c6-d8ad-4440-8617-3df24459fed0 Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
diff --git a/msal/oauth2cli/oidc.py b/msal/oauth2cli/oidc.py
@@ -221,6 +221,9 @@ def obtain_token_by_browser(
             **kwargs):
         """A native app can use this method to obtain token via a local browser.
 
+        This flow still uses the nonce generated during flow initiation,
+        but the SDK no longer validates that nonce against the ID token.
+
         It implements PKCE to mitigate the auth code interception attack.
 
         :param string display: Defined in
