These are TODO notes from writing up the draft spec:
[x] ensure that code id_token is not included in localhost loopback client response_types field (this was an openid/OIDC thing)
[x] ensure that implicit is not included in localhost loopback client
[x] ensure that localhost loopback client sets token_endpoint_auth_method to none not nonce (typo in earlier proposal?)
[x] ensure that PDS/entryway auth server metadata includes authorization_endpoint and token_endpoint (pretty sure this is implemented, but wasn't in the earlier proposal), and that client validation does these checks
[ ] could remove subject_types_supported from authserver metadata
[ ] could possibly remove some response_modes_supported from auth server metadata
[ ] should authserver metadata not include 'plain' in code_challenge_methods_supported?
[ ] reduce the list of declared authserver supported algos
mackuba
commented
2 weeks ago
These are TODO notes from writing up the draft spec:
code id_tokenis not included in localhost loopback clientresponse_typesfield (this was an openid/OIDC thing)implicitis not included in localhost loopback clienttoken_endpoint_auth_methodtononenotnonce(typo in earlier proposal?)authorization_endpointandtoken_endpoint(pretty sure this is implemented, but wasn't in the earlier proposal), and that client validation does these checkssubject_types_supportedfrom authserver metadataresponse_modes_supportedfrom auth server metadata