RFC-Conformity depends on Implementation

[Uzlopak]

We should document, that some conformity rules can only be implemented by the express/fastify/koa-etc. layer.

Maybe we should collect the MUST rules for meeting the conformity requirements but are (currently?) out of scope of the oauth2-server.

• the authorization endpoint MUST support the GET method. probably alot of people only implement the post but not the get method.

  
  The authorization server MUST support the use of the HTTP "GET"
  method [RFC2616] for the authorization endpoint and MAY support the
  use of the "POST" method as well.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
- TLS is also necessary, which is not enforced by the oauth2-server

The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.

https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

- Brute-Force Protection for the endpoints is also a MUST regarding the RFC. 

Since this client authentication method involves a password, the authorization server MUST protect any endpoint utilizing it against brute force attacks.

[jankapunkt]

This is a very good idea, because it would help client implementations to write their own compliance suite much more efficiently.

[jankapunkt]

We should create a documentation like COMPLIANCE.md for that.