Ralph Andalis

Hi Elar, noted.

I am not sure what could be our actionable recommendation for this issue though. Maybe as a guide, let's write down the concern from this statement: > security problem to...

> There is absolutely a use-case to do a flow that includes both an OIDC claim (identity) and an OAuth2 claim (delegation) at the same time. Got any solid examples...

> And in generate OIDC serves as authentication while OAuth2 tokens can be limited in scope and provide limited access to resources. This is what I think so as well...

In the way I understood it, `51.2.2` is for ensuring that when you use PKCE challenge or OIDC nonce they should be transaction-specific to prevent replay of these codes as...

@elarlang, is this being addressed by my latest PR #1971? Or am I missing something about it?

Understood, but I just pushed my PR since it has been sitting in my local for a while and I thought better to have it out there than get lost...

> Verify that Authorization Server accepts the redirect URI value from the Client that belongs to the pre-registered list of allowed values using the string-match method, e.g. wildcards are not...

> Are we ready to go with that or any errors or modifications needed? (We can do changes later as well) I like it! Just to wordsmith and fix the...

> _Verify that redirect URIs in authorization requests are absolute, using the HTTPS scheme, and validated by the Authorization Server using exact string comparison based on a client specific allow...