diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb
index b5787db..4ac74cb 100644
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -127,12 +127,10 @@ class OidcController < ApplicationController
       code: code,
       redirect_uri: oauth_params['redirect_uri'],
       scope: oauth_params['scope'],
+      nonce: oauth_params['nonce'],
       expires_at: 10.minutes.from_now
     )
 
-    # Store nonce in the authorization code metadata if needed
-    # For now, we'll pass it through the code itself
-
     # Clear OAuth params from session
     session.delete(:oauth_params)
 
@@ -211,7 +209,7 @@ class OidcController < ApplicationController
     )
 
     # Generate ID token
-    id_token = OidcJwtService.generate_id_token(user, application)
+    id_token = OidcJwtService.generate_id_token(user, application, nonce: auth_code.nonce)
 
     # Return tokens
     render json: {
diff --git a/db/migrate/20251024053326_add_nonce_to_oidc_authorization_codes.rb b/db/migrate/20251024053326_add_nonce_to_oidc_authorization_codes.rb
new file mode 100644
index 0000000..bbcb7c2
--- /dev/null
+++ b/db/migrate/20251024053326_add_nonce_to_oidc_authorization_codes.rb
@@ -0,0 +1,5 @@
+class AddNonceToOidcAuthorizationCodes < ActiveRecord::Migration[8.1]
+  def change
+    add_column :oidc_authorization_codes, :nonce, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index bb07bc4..63358e8 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.1].define(version: 2025_10_24_033007) do
+ActiveRecord::Schema[8.1].define(version: 2025_10_24_053326) do
   create_table "application_groups", force: :cascade do |t|
     t.integer "application_id", null: false
     t.datetime "created_at", null: false
@@ -100,6 +100,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_24_033007) do
     t.string "code", null: false
     t.datetime "created_at", null: false
     t.datetime "expires_at", null: false
+    t.string "nonce"
     t.string "redirect_uri", null: false
     t.string "scope"
     t.datetime "updated_at", null: false