docs: clarify nonce compatibility behavior

Copilot · bgavrilMS · web-flow · commit a1fbc6f73cf9 · 2026-05-11T12:17:21.000Z
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-python/sessions/d56329c6-d8ad-4440-8617-3df24459fed0 Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
diff --git a/msal/application.py b/msal/application.py
@@ -1202,7 +1202,7 @@ def acquire_token_by_authorization_code(
 
         :param nonce:
             If you provided a nonce when calling :func:`get_authorization_request_url`,
-            same nonce can still be provided here for backward compatibility.
+            this parameter is ignored and only kept for backward compatibility.
 
         :param claims_challenge:
             The claims_challenge parameter requests specific claims requested by the resource provider
diff --git a/msal/oauth2cli/oidc.py b/msal/oauth2cli/oidc.py
@@ -195,6 +195,9 @@ def obtain_token_by_auth_code_flow(self, auth_code_flow, auth_response, **kwargs
         """Validate the auth_response being redirected back, and then obtain tokens,
         including ID token which can be used for user sign in.
 
+        This method still uses the nonce generated during flow initiation,
+        but the SDK no longer validates that nonce against the ID token.
+
         It implements PKCE to mitigate the auth code interception attack.
 
         See :func:`oauth2.Client.obtain_token_by_auth_code_flow` in parent class
