Steve Riesenberg

@CrazyParanoid thanks for the issue. Before reviewing the PR, I'm reviewing RFC 9470 and it appears that there is more to that specification than just validating claims. The issue title...

@CrazyParanoid thanks for the additional details! > I think this issue is worth dividing. @sjohnr what do you think about that? Eventually I think that might make sense, but I...

Thanks for the PR @CaptainAye! This is now merged into `main`.

**Note:** When considering `ServerOAuth2AuthorizedClientExchangeFilterFunction` may need to return `Mono`: ``` @FunctionalInterface public interface ClientRegistrationIdResolver { @Nullable Mono resolve(ClientRequest request); } ``` Related gh-16284.

Thanks for reporting this Andy. I'll bring this to the team's attention.

@HyoJongPark > Did the discussion end with the direction of the issue removing unnecessary generics from the 'AuthorizationRequestRepository'? Yes, that is where we have landed for now. > I also...

Thanks for being patient, and sorry I was unable to look at this closely sooner. I'm doing some thinking about this issue this week. I think the challenges with this...

One additional thought I have is that we could publish the event with information directly from the `OAuth2AccessTokenResponse` which would contain the `id_token` parameter. This could actually make the event...

Thanks @ch4mpy. > But I think **it should happen every time the refresh token flow is used**, even when there is no ID token: in the case of "regular" OAuth2,...

Ok. I think we can keep it in mind, and see if it's possible to handle for OAuth2 Login without OIDC. However, I think focusing on updating the `SecurityContext` for...