Tim Möhlmann

Checked the standards and `azp` has indeed become an extension outside the scope of OIDC. We can remove the check and allow an option to be passed that enables a...

The OpenID connect standard is this one: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html Instead to sending a typical redirect to the client's callback we would respond with a html `` that auto-submits to the token...

I've just pushed with some intermediate state / WIP on implementing the LegacyServer

Some notes after meeting with @livio-a: **VerifyClient** We shortly discussed if `VerifyClient` should remain a method, because it is the only method that doesn't directly a handler. The alternative would...

For the response object typing we could use a private method interface which then enforces users (mostly) to embed certain base types. I made a small example using the `oidc.DiscoveryConfiguration`:...

Also CC @lefelys , as he implemented the token exchange. As I figure now this also largely depends on custom storage. If you have time, we would love to hear...

I second @livio-a his conclusion that our current implementation is valid. I just checked it without knowing he already replied. > causing errors when connecting to systems that require audience...

And a FAPI compliance test is failing with a single value was set to an array? Or is this a theoretical discussion?

After some digging we found this [conformance suite discussion](https://gitlab.com/openid/conformance-suite/-/issues/1195). Practically, the FAPI test suite introduces the error as it gives the idea the Audience should be a string. But that's...

With the proposed solution there would still be 2 discovery calls. As `WithPKCE` is an `Option` and discovery is always done during constructing the RP. If you would able to...