diff --git a/pkg/provider/oidc.go b/pkg/provider/oidc.go
index e1aac6e..b27d05b 100644
--- a/pkg/provider/oidc.go
+++ b/pkg/provider/oidc.go
@@ -48,8 +48,12 @@ func (c *oidcExchangeConfig) verifyUpdateToken(ctx context.Context, t *Token) er
 		return fmt.Errorf("oidc: verification error: %w", err)
 	}
 
-	if subtle.ConstantTimeEq(int32(len(idToken.Nonce)), int32(len(c.nonce))) == 0 ||
-		subtle.ConstantTimeCompare([]byte(idToken.Nonce), []byte(c.nonce)) == 0 {
+	// If nonce is configured, make sure it matches the nonce in
+	// the ID token.  It is not configured when refresh_token is
+	// sent in from an external source.
+	if len(c.nonce) > 0 &&
+		(subtle.ConstantTimeEq(int32(len(idToken.Nonce)), int32(len(c.nonce))) == 0 ||
+			subtle.ConstantTimeCompare([]byte(idToken.Nonce), []byte(c.nonce)) == 0) {
 		return ErrOIDCNonceMismatch
 	}