Kévin Chalet

I'm personally speechless. Proper `state` support is absolutely essential to the security of an OAuth 2.0 client as it prevents session fixation/forged requests attacks (and, when implemented correctly, helps reduce...

KeyCloak supports OpenID Connect discovery/OAuth 2.0 authorization server metadata so you'd get better results with either the MSFT OIDC handler or with the new OpenIddict client (https://kevinchalet.com/2022/06/22/openiddict-4-0-preview1-is-out/), that support dynamic...

Have you tried to set `AccessDeniedPath` to a non-empty value in the options?

> I have not, @kevinchalet. I have been making use of the OnAccessDenied event to cause a redirect. Am I correct in understanding that this is basically a simpler way...

Paypal now supports OpenID Connect discovery/OAuth 2.0 authorization server metadata (https://www.paypal.com/.well-known/openid-configuration) and the authorization endpoint they return as part of the discovery document differs from the one we currently use...

It's confirmed: the OIDC implementation has a bunch of compliance issues, but it supports returning the `state` parameter even for errored requests. I was only able to test it against...

Adding the `help wanted` label in case someone would be interested in updating the PayPal provider to use the newer endpoints.

> Thoughts about this @kevinchalet? For the small amount of work involved in getting it to build I thought it was at least worth pushing up a draft to seek...

/cc @Tratcher

We typically rely on external contributions when it comes to adding new providers. Would you be interested?