Andrew Millington

Need to force `error_description` for version 9 and add in state response to the exception if present to close this issue off.

It does look like the documentation needs updating. The code works as follows: * The Auth server uses the _private_ key to sign payloads * The Resource server uses the...

Reopening as I want to track the documentation issue so we can resolve and then close.

Apologies for the delay on looking at this @datapp. I'm planning on merging this in later today although I will likely move the middleware into its own PSR folder instead...

Sorry I completely forgot about this. I'm focusing on the Device Auth Grant at the moment but will pick this up as soon as I can.

Fair point. Would welcome a PR to fix this.

Looking at this further, the CryptKey class was originally introduced to use passwords with your private key. I need to do a bit more investigation into this to find the...

Hello. Thanks for reporting this and sorry for the delayed response. When I replaced this I checked and our default access token issues an nbf claim so I didn't expect...

I've checked the docs and looks like looseValidAt will check nbf if it is present so that seems to be the best of both worlds. Users can still be assured...

Fixed and apologies for the delay. Thanks again for raising this