mikael-linden

Looks reasonable. Aud is a common OIDC practice to restrict access token consumers.

In ver 1.2, do we want to introduce a mechanism (potentially based on [RFC8707](https://datatracker.ietf.org/doc/html/rfc8707)) to request a downscoped passport from a broker so no root passport becomes exposed to a...

How is the in the Passport Endpoint Response different from the regular ga4gh_passport_v1 claim received from /userinfo?