Implement token nonces

[johndowns]

We should implement a nonce when issuing an ID token, to mitigate replay attacks.

Before signing in, generate and write a nonce value to session storage and append to the redirect URL. After signing in, parse the ID token and compare the nonce claim in it with that in session storage. If OK, proceed.