The error generally occurs when the request to the application does not contain the nonce cookie. To gather more insights you can follow the instructions to capture a Fiddler tracewith decrypt https traffic enabled.
You can also try adding these lines of code:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
{
if (authFailed.Exception.Message.Contains("IDX21323"))
{
authFailed.HandleResponse();
authFailed.OwinContext.Authentication.Challenge();
}
await Task.FromResult(true);
}
}
});
References:
IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
MVC5 Azure AD IDX21323
I would also recommend checking out the blog post, RECEIVING ERROR IDX21323 OR DX10311 REQUIRENONCE, which suggests that this can sometimes happen if there are multiple domains pointing to the same website.