JuliusPC

I am not sure if this is only an improvement. It is also fixes bugs in the logout.

I would like to add some thoughts about WebAuthn. First, support by devices: - Many users already unknowingly use a device capable of WebAuthn: - Devices with Android > 7...

In my opinion you should just let `/.well-known/oauth-authorization-server` point to the same contents as `/.well-known/openid-configuration`. This should be allowed, [evidence for that in the spec](https://tools.ietf.org/html/rfc8414#section-3): > Some OAuth applications will...

> In the case of the WoltLab forum, we have to add a security token as parameter while logout: > > `https://DOMAIN.com/index.php?logout/&t=76e21c87e2c284cadbbb14bd2703088fd57de510` > > The security token will be changed...

It seems that your identity provider is unreliable. Improving its availability is the first and best option. Second, handle the exception gracefully in respect to its context. In your example...

Since the OIDC / OAuth 2 spec doesn’t specify a specific access token format, there are two types of access token: 1. opaque or reference token 2. parseable or self-contained...

> […] but the reason I have started using the JumboJett library is that it can be used as a generic client for any OIDC endpoint. This is an understandable...

I would implement it by allowing to append a custom string to the already randomly generated state and a way retrieving the value afterwards (possible, since we know the length...

> On the other hand, it seems like it is better to use a different solution to solve my use case. I agree. Using the state for this may make...

If your identity provider doesn’t include the parameter in its openid-configuration, it likely doesn’t support this feature. In my opinion, throwing an exception if this happens is the right way...