Arne Luenser

> > **Important**: When setting `pkce: force`, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of `/self-service/methods/oidc/callback/`, you must use `/self-service/methods/oidc/callback` (note...

Superseeded by https://github.com/ory/kratos/pull/4078

Hey. We will probably make some adjustments to how OIDC login works (internally) in the near future, so I would recommend maybe holding off on PRs for the moment (sorry...

I'm quite confident we don't need to make PKCE configurable. The only scenario where that would make sense is when the provider advertises PKCE support but doesn't actually support it....

The `active` field is what you are looking for I think. Have you tried it?

@fredbi sorry for pinging, but can you maybe shed some light on this?

I've only skimmed those PRs but they are IMO both too complicated and don't solve the issue cleanly. Reposting my recommended implementation strategy from [here](https://github.com/ory/hydra/pull/3865#issuecomment-2443840378): `SELECT ... FROM hydra_jwk` a)...

> I rebased the PR, even though I'm unsure why https://github.com/ory/x/commit/035d1e22c330736a5813588d1802d7403c97bad4 removed all test files 🤔 We've recently moved to an internal monorepo using https://github.com/google/copybara to synchronize PRs with the...

Note to self @alnr This is still relevant. It will allow the caller to check a session ultra-fast if they already know who the user is. Close to check-token perf.

To authenticate webhooks, HTTP email servers, and probably also secure SMTP, we could offer mTLS. Pretty easy to implement and proven security.