Support authorization challenge endpoint on a different domain than the AS ?

[gffletch]

Like other endpoints, there is no current requirement that the authorization_challenge_endpoint is on the same domain as the authorization_endpoint or token_endpoint. Given that the sequence is really an authentication sequence, is it ok for the flow to occur at a different endpoint (like an Authorization Server redirecting the browser to a different IDP for authentication). Do we need to support such a concept?

[aaronpk]

I don't think we need to say anything in particular about this. If the AS wants to redirect the browser to a different IDP, it would have to do its own OIDC flow to that IDP anyway, so a shortcut like this wouldn't work anyway.