Eric Chiang

Is this to figure out when you need to rotate the token? There's a lot of customization that request could use, and I don't know if we want to start...

Dup of https://github.com/coreos/go-oidc/issues/233?

Arguably we do have that https://github.com/coreos/go-oidc/issues/233#issuecomment-582233909 Does the fix in that comment work? I think we need to document that workaround more prominently.

I've opened https://github.com/coreos/go-oidc/issues/344 for a broader conversation around Azure AD. If anyone from this thread has some insight, it'd be really appreciated

What kind of errors would you want to differentiate? My experience with auth code is that it's best to be conservative, and effectively treat all errors as a 401.

This is the upstream spec as far as I can tell: https://openid.net/specs/openid-connect-messages-1_0-20.html golang.org/x/oauth2 is the package that currently handles the OAuth2 requests (auth request, token request). This would likely be...

Can you point to where in the code you'd like to change? I am not a cryptographer, but aren't yescrypt and scrypt are key derivation functions? If we were going...

Since https://github.com/coreos/go-oidc/pull/433 the remote key set ignores context cancelation. In hindsight, it was a really bad idea for this package to mirror golang.org/x/oauth2 and use context values for configuration, but...

So, currently the remote key set is intended as a background process, since it many-to-ones individual requests to verify a token with a single upstream request to refresh keys. The...

Thanks for the PR! I'm against using wrapped errors overly-broadly like this without making it part of the API contract. At the very least, there needs to be an associated...