Andrew Millington

Thanks both for your offers of help with this. I think that Jacob's proposal would be more likely to be accepted. If my understanding of the RFC is correct, this...

Hi @diogodomanski. The library doesn't support PSR-15 at the moment but we will add support for this as our middleware was created prior to this standard. There isn't any guidance...

Thanks @cicnavi - this is an interesting one. We don't specifically ever check for the response_type parameter in the way the oauth 2 spec expects. If a client sends in...

Need to handle state parameter being included in error if provided.

Thanks @skroczek for the changes. If you are happy to, I can pick up any remaining issues to push this through to the 9.x branch? Will aim to do that...

No timescale on this I'm afraid. It will be done as soon as I get time but there is a lot to check.

I will review this as soon as the PKCE changes have been merged in. From memory, I hadn't looked at this as it was building on some pre-existing change requests...

@christiaangoossens I'm not sure this is the best approach. By allowing additional parameters at the authorisation code request, I _think_ we would be deviating from the OAuth spec. I can't...

@s3gs I agree that we must make it easier to add custom claims to the JWT. My assessment here is that it is happening at the wrong stage in the...

@jacobweber no it is listed as a release for v8. I don't have a definite schedule for that release yet. I was hoping to get it out late December/early Jan...