Andrew Millington

Yes it will. I've made some progress on this but keep hitting gotchas. The new PKCE handling should: * support PKCE if a code challenge is sent * Force PKCE...

@2blane and @thuethe could this not be solved by your database schema? Why don't you have a pivot table between users and tokens so that these can easily be searched?...

If you could outline why you are wanting to retrieve the user ID associated with the token as well that would be much appreciated.

Good catch. I didn't notice that the function doesn't require a secret at the time this change was made. I think I need to look into this in a bit...

Hi @matt-allan - sorry for my delay in looking at this. I've had a big think and I think ultimately, we should probably be only validate a client for confidential...

Thanks both. I will aim to look at this this evening.

Yeah you are right that we don't currently implement OIDC so this shouldn't be a concern for us and we should just adhere to the already implemented RFCs. At the...

@marc-mabe had submitted a PR to fix the error_description which I had initially accepted but I think it will likely be reverted. Adding my comment here so others can see...

Sorry @marc-mabe I need to do a bit more reading on this. I initially thought that `error_description` was only used by error responses from the implicit grant and auth code...

Looks good to me. It is being used by all grants so happy to leave in. I will roll out a release shortly. Thank you