docs: note caller-owned validation

Copilot · bgavrilMS · web-flow · commit 2f37cf801bba · 2026-05-11T12:21:06.000Z
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-python/sessions/d56329c6-d8ad-4440-8617-3df24459fed0 Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
diff --git a/msal/application.py b/msal/application.py
@@ -1203,6 +1203,8 @@ def acquire_token_by_authorization_code(
         :param nonce:
             If you provided a nonce when calling :func:`get_authorization_request_url`,
             this parameter is ignored and only kept for backward compatibility.
+            Applications that require nonce validation need to validate the ID
+            token nonce themselves.
 
         :param claims_challenge:
             The claims_challenge parameter requests specific claims requested by the resource provider
diff --git a/msal/oauth2cli/oidc.py b/msal/oauth2cli/oidc.py
@@ -84,6 +84,8 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
 
     The optional parameters ``client_id``, ``issuer``, ``nonce``, and ``now``
     are ignored and only kept for backward compatibility.
+    Callers that require claim validation are responsible for performing it
+    themselves.
     """
     return json.loads(decode_part(id_token.split('.')[1]))
 
