diff --git a/src/JSO.js b/src/JSO.js
index f089958..e7d9644 100644
--- a/src/JSO.js
+++ b/src/JSO.js
@@ -334,7 +334,8 @@ class JSO extends EventEmitter {
 
 			request = {
 				'response_type': opts.response_type || this.config.getValue('response_type', 'token'),
-				'state': utils.uuid()
+				'state': utils.uuid(),
+				'nonce': utils.nonce(8)
 			}
 			if (opts.hasOwnProperty("allowia") && !opts.allowia) {
 				request.prompt = "none"
diff --git a/src/utils.js b/src/utils.js
index f54e806..0da7031 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -133,6 +133,14 @@ utils.encodeURL = function(url, params) {
 }
 
 
+utils.nonce = function(length) {
+	var res = ""
+	var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+	for(var i = 0; i < length; i++) {
+		res += chars.charAt(Math.floor(Math.random() * chars.length))
+	}
+	return res
+}
 
 
 export default utils