These are TODO notes from writing up the draft spec:
[x] ensure that code id_token is not included in localhost loopback client response_types field (this was an openid/OIDC thing)
[x] ensure that implicit is not included in localhost loopback client
[x] ensure that localhost loopback client sets token_endpoint_auth_method to none not nonce (typo in earlier proposal?)
[x] ensure that PDS/entryway auth server metadata includes authorization_endpoint and token_endpoint (pretty sure this is implemented, but wasn't in the earlier proposal), and that client validation does these checks
[ ] could remove subject_types_supported from authserver metadata
[ ] could possibly remove some response_modes_supported from auth server metadata
[ ] should authserver metadata not include 'plain' in code_challenge_methods_supported?
[ ] reduce the list of declared authserver supported algos
These are TODO notes from writing up the draft spec:
code id_token
is not included in localhost loopback clientresponse_types
field (this was an openid/OIDC thing)implicit
is not included in localhost loopback clienttoken_endpoint_auth_method
tonone
notnonce
(typo in earlier proposal?)authorization_endpoint
andtoken_endpoint
(pretty sure this is implemented, but wasn't in the earlier proposal), and that client validation does these checkssubject_types_supported
from authserver metadataresponse_modes_supported
from auth server metadata