An OAuth server (including Open ID Connect providers) must check a client request's nonce, if one is specified, to make sure the same one hasn't been used in the last 5 minutes.
All of this makes sense but my question is simply, what does a server return in ?error=... if it has found the nonce was already used?
I have done a dozen or so searches on the web, in RFCs, and in some SDK code but I can't find where an error is returned and what the code would be.
The nonce is there to prevent replay attacks on the Client of the token produced by the Provider. The Client sends the nonce to the Provider so that the Provider can include it in the token. This means that the Client needs to keep track of the nonces that it produced, not the Provider. In fact the OpenID Connect spec even says in http://openid.net/specs/openid-connect-core-1_0.html#IDToken:
[other than including it in the token] Authorization Servers SHOULD perform no other processing on nonce values used
So no error code is required here as the Provider doesn't "do" anything with the nonce other than including it in the token.