Simon Hamp

> The class is currently generating a response Are you sure? I think what's happening is it's just extracting token claims and adding them to the `$request` object for easy...

I can’t see anything in that spec that suggests that you can’t/shouldn’t use the client_id as the `aud`. Do you have any specific concern with this @michaeldnelson?

@ShyZhen I don't think this is the right approach. [`fileperms()`](http://php.net/manual/en/function.fileperms.php) should still work correctly on Windows systems and this is an important security measure to make sure that your keys...

If/when this is available, implementors should be extra cautious about what they store in the JWT - **especially if it's not encrypted** - but even if it is, maybe things...

@mtangoo I appreciate your point, but I have to disagree. I don't feel that what you suggest is the correct approach. Letting others 'shoot their feet' is one of the...

Hence my original comment 🙂

I totally agree that we need to improve the documentation. It's quite an undertaking, but I'd like to give it a go. A library/package is likely to be overly prescriptive...

@chervand @Sephster just been looking through comments on this issue/PR and I think extending `ResponseTypeInterface` feels like the better option at this stage. Having said that, bundling into a new...

Thanks for sharing the extra detail @mrgrain. Also see comments on https://github.com/php/php-src/pull/2910. @louisfisch can you confirm the `preg_last_error()` code you're seeing when using the `RSA_KEY_PATTERN` constant? Is it a `PREG_JIT_STACKLIMIT_ERROR`?...

@louisfisch thanks for confirming that