Victor

**Scenario 1** **What** We add the resource owner (but really the client retrieving the access token) IP to the token, and verify this matches with the client IP on the...

I've had this exact question when I began devoting time to understanding all the different specs. Fragment encoding in fact a part of OpenID specs. Definitely something you want if...

To be complete; These are features that are in OpenID Connect that are pretty desirable to me: - Fragment responses for authorisation requests - Token introspection (using [RFC7662](https://tools.ietf.org/html/rfc7662)) - Token...

It seems that the fragment is supposed to be used when using [Implicit Grant in the core oAuth 2.0](https://tools.ietf.org/html/rfc6749#section-4.2) spec. Though, I do think OpenID Connect does a much better...

Ah, missed that the PR made it an arbitrary character... No that is definitely not right. The reason the fragment is used for the implicit grant is ofcourse to protect...

Not in favor, setting a far future expires date is effectively just as good and makes you think about what you're actually doing. What would be good is somehow being...

We are also running a non-root containerized environment with read-only file systems. Our containers are also never rebuilt between promotions to different environments. We worked around the issue by always...

I would be strongly against using a `.env` file directly. This package is still a library and should be implemented in projects managing the config on their own. Defining the...