Bob Aman

So the main issue I see is that the HTTP spec has pretty clear language on how proxies should handle this header. Namely, if the downstream client sends that header,...

@katzdm I've gone back and forth on whether retaining the ID token is the right answer and I'm increasingly thinking it maybe isn't. The main problem is that ID tokens...

I also have concerns about proceeding w/ this issue until after we at least have a second provider merged. I'm worried about tight coupling risks.

I think the auth header option should not be global but rather per-upstream.

FWIW, I'm really close on the AD PR, just wrapping up tests and minor refactoring, so shouldn't be much of a wait on a second provider.

I started working on this, and I'm starting to think this is, somewhat unexpectedly, a mistake in practice. Not quite ready to close this issue, but I think a better...

It might be nice to aim for a target release cadence, especially since the project is getting fairly regular improvements at the moment.

Yeah, I'm seeing the same thing too. Also for Reap.

https://pastebin.com/mYe9JX78

I agree w/ your reading of the spec, only unreserved characters should be getting decoded.